| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Sep 2007 00:24:04 -0700 From: Andrew Farmer <andfarm@...il.com> To: "Slythers Bro" <slythers@...il.com> Cc: Full-Disclosure dis <full-disclosure@...ts.grok.org.uk> Subject: Re: python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module On 15 Sep 07, at 16:53, Slythers Bro wrote: > The module imageop contains a lots of int overflow, which result in > heap overflow, and maybe memory dump. > The files imageop.c and rbgimgmodule.c are examples. <snip> The real question: Does anybody actually use those modules? Most Python programs that I've seen that do image processing use other methods, like PIL or calling out to Imagemagick. A bit of searching on Google Code Search didn't find me anything that actually used imageop or rgbimgmodule except test cases for those modules. rgbimgmodule isn't even part of a standard build of Python 2.5. Remember that Python is *not* a managed language - there's no guarantees of safety inherent in the language. In fact, there are easier ways to execute native code: take a look at ctypes, for example. While I'd definitely classify the behavior you've identified as a bug, it's unlikely to be exploitable in the context of any programs which use it (if, indeed, there are any). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists