expandtab() integer overflow¶
Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by:
- the
string_expandtabs()
function inObjects/stringobject.c
- the
unicode_expandtabs()
function inObjects/unicodeobject.c
NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.
- Disclosure date: 2008-03-11 (commit date)
- Reported by: Chris Evans
Fixed In¶
- Python 2.5.3 (2008-12-19) fixed by commit 44a93e5 (branch 2.5) (2008-03-11)
- Python 2.6.0 (2008-10-01) fixed by commit 5bdff60 (branch 2.6) (2008-03-11)
- Python 3.0.0 (2008-12-03) fixed by commit dd15f6c (branch 3.0) (2008-03-16)
CVE-2008-5031¶
Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.
- CVE ID: CVE-2008-5031
- Published: 2008-11-10
- CVSS Score: 10.0
Timeline¶
Timeline using the disclosure date 2008-03-11 as reference:
- 2008-03-11: Disclosure date (commit date)
- 2008-03-11 (+0 days): commit 44a93e5 (branch 2.5)
- 2008-03-11 (+0 days): commit 5bdff60 (branch 2.6)
- 2008-03-16 (+5 days): commit dd15f6c (branch 3.0)
- 2008-10-01: Python 2.6.0 released
- 2008-11-10 (+244 days): CVE-2008-5031 published
- 2008-12-03: Python 3.0.0 released
- 2008-12-19 (+283 days): Python 2.5.3 released