CVE-2007-4965 - Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent

CVE-2007-4965

Summary

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

References

Vulnerable Configurations

cpe:2.3:a:python:python:-:*:*:*:*:*:*:*
cpe:2.3:a:python:python:-:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.9:*:*:*:*:*:*:*
cpe:2.3:a:python:python:0.9.9:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*

CVSS

Base:	5.8 (as of 02-08-2023 - 18:52)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:P

oval via4

accepted

2013-04-29T04:08:56.150-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10804

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2014-01-20T04:01:39.548-05:00

class

vulnerability

contributors

name Pai Peng
organization Hewlett-Packard
name Chris Coffin
organization The MITRE Corporation

definition_extensions

comment VMWare ESX Server 3.0.3 is installed
oval oval:org.mitre.oval:def:6026
comment VMware ESX Server 3.5.0 is installed
oval oval:org.mitre.oval:def:5887
comment VMware ESX Server 4.0 is installed
oval oval:org.mitre.oval:def:6293

description

family

unix

oval:org.mitre.oval:def:8486

status

accepted

submitted

2010-03-19T16:57:59.000-04:00

title

VMware python integer overflows vulnerability in the imageop module

version

accepted

2010-03-01T04:00:29.099-05:00

class

vulnerability

contributors

name	Pai Peng
organization	Hewlett-Packard

definition_extensions

comment Solaris 10 (SPARC) is installed
oval oval:org.mitre.oval:def:1440
comment Solaris 10 (x86) is installed
oval oval:org.mitre.oval:def:1926

description

family

unix

oval:org.mitre.oval:def:8496

status

accepted

submitted

2010-01-19T17:52:34.000-05:00

title

Multiple Buffer and Integer Overflow Vulnerabilities in Python (python(1)) May Lead to a Denial of Service (DoS) or Allow Execution of Arbitrary Code

version

redhat via4

advisories

bugzilla

id	383371
title	CVE-2006-7228 pcre integer overflow

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment python is earlier than 0:2.3.4-14.4.el4_6.1
oval oval:com.redhat.rhsa:tst:20071076001
comment python is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060197002
AND
comment python-devel is earlier than 0:2.3.4-14.4.el4_6.1
oval oval:com.redhat.rhsa:tst:20071076003
comment python-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060197004
AND
comment python-docs is earlier than 0:2.3.4-14.4.el4_6.1
oval oval:com.redhat.rhsa:tst:20071076005
comment python-docs is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060197006
AND
comment python-tools is earlier than 0:2.3.4-14.4.el4_6.1
oval oval:com.redhat.rhsa:tst:20071076007
comment python-tools is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060197008
AND
comment tkinter is earlier than 0:2.3.4-14.4.el4_6.1
oval oval:com.redhat.rhsa:tst:20071076009
comment tkinter is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060197010

rhsa

id	RHSA-2007:1076
released	2007-12-10
severity	Moderate
title	RHSA-2007:1076: python security update (Moderate)

rhsa
id RHSA-2008:0629

rpms

python-0:2.2.3-6.8
python-0:2.3.4-14.4.el4_6.1
python-debuginfo-0:2.2.3-6.8
python-debuginfo-0:2.3.4-14.4.el4_6.1
python-devel-0:2.2.3-6.8
python-devel-0:2.3.4-14.4.el4_6.1
python-docs-0:2.3.4-14.4.el4_6.1
python-tools-0:2.2.3-6.8
python-tools-0:2.3.4-14.4.el4_6.1
tkinter-0:2.2.3-6.8
tkinter-0:2.3.4-14.4.el4_6.1
rhn-solaris-bootstrap-0:5.0.2-3
rhn_solaris_bootstrap_5_0_2_3-0:1-0
rhn-solaris-bootstrap-0:5.0.2-3
rhn_solaris_bootstrap_5_0_2_3-0:1-0
rhn-solaris-bootstrap-0:5.1.1-3
rhn_solaris_bootstrap_5_1_1_3-0:1-0
python-0:2.4.3-24.el5_3.6
python-debuginfo-0:2.4.3-24.el5_3.6
python-devel-0:2.4.3-24.el5_3.6
python-tools-0:2.4.3-24.el5_3.6
tkinter-0:2.4.3-24.el5_3.6

refmap via4

apple	APPLE-SA-2007-12-17 APPLE-SA-2009-02-12
bid	25696
bugtraq	20080212 FLEA-2008-0002-1 python 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
cert	TA07-352A
confirm	http://bugs.gentoo.org/show_bug.cgi?id=192876 http://docs.info.apple.com/article.html?artnum=307179 http://support.apple.com/kb/HT3438 http://support.avaya.com/css/P8/documents/100074697 http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0254 http://www.vmware.com/security/advisories/VMSA-2009-0016.html https://issues.rpath.com/browse/RPL-1885
debian	DSA-1551 DSA-1620
fedora	FEDORA-2007-2663
fulldisc	20070916 python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module
gentoo	GLSA-200711-07
mandriva	MDVSA-2008:012 MDVSA-2008:013
mlist	[Security-announce] 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates
secunia	26837 27460 27562 27872 28136 28480 28838 29032 29303 29889 31255 31492 33937 37471 38675
suse	SUSE-SR:2008:003
ubuntu	USN-585-1
vupen	ADV-2007-3201 ADV-2007-4238 ADV-2008-0637 ADV-2009-3316
xf	python-imageop-bo(36653)

statements via4

contributor	Joshua Bressers
lastmodified	2007-10-15
organization	Red Hat
statement	Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=295971 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Last major update

02-08-2023 - 18:52

Published

18-09-2007 - 22:17

Last modified

02-08-2023 - 18:52