Multiple integer overflows (Google)¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to:
Include/pymem.h
Modules/
:_csv.c
_struct.c
arraymodule.c
audioop.c
binascii.c
cPickle.c
cStringIO.c
datetimemodule.c
md5.c
rgbimgmodule.c
stropmodule.c
Modules/cjkcodecs/multibytecodec.c
Objects/
:bufferobject.c
listobject.c
obmalloc.c
Parser/node.c
Python/
:asdl.c
ast.c
bltinmodule.c
compile
as addressed by “checks for integer overflows, contributed by Google.”
Dates:
- Disclosure date: 2008-04-11 (Python issue bpo-2620 reported)
Fixed In¶
- Python 2.5.3 (2008-12-19) fixed by commit 83ac014 (branch 2.5) (2008-07-28)
- Python 2.6.0 (2008-10-01) fixed by commit 0470bab (branch 2.6) (2008-07-22)
- Python 3.0.0 (2008-12-03) fixed by commit d492ad8 (branch 3.1) (2008-07-23)
Python issue¶
Multiple buffer overflows in unicode processing.
- Python issue: bpo-2620
- Creation date: 2008-04-11
- Reporter: Justin Ferguson
CVE-2008-3143¶
Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by “checks for integer overflows, contributed by Google.”
- CVE ID: CVE-2008-3143
- Published: 2008-08-01
- CVSS Score: 7.5
Timeline¶
Timeline using the disclosure date 2008-04-11 as reference:
- 2008-04-11: Python issue bpo-2620 reported by Justin Ferguson
- 2008-07-22 (+102 days): commit 0470bab (branch 2.6)
- 2008-07-23 (+103 days): commit d492ad8 (branch 3.1)
- 2008-07-28 (+108 days): commit 83ac014 (branch 2.5)
- 2008-08-01 (+112 days): CVE-2008-3143 published
- 2008-10-01: Python 2.6.0 released
- 2008-12-03: Python 3.0.0 released
- 2008-12-19 (+252 days): Python 2.5.3 released