[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fwd: [SECURITY] [DSA 817-1] New python2.2 packages fix arbitrary code execution]





Michal Jaegermann wrote:
On Sun, Sep 25, 2005 at 02:51:57PM -0400, Jim Popovitch wrote:

Michal, I am confused about all your comments on this thread.


You raised a possibility that PCRE bugs affect also various Python
packages.  Quite timely alert, I would say, and from all what we
know by now you were right.  After that we got some followups on
the topic and some which left me somewhat baffled.


Now today I see that you already opened a bug back on 16-Sept

 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516


Indeed I wrote that.  But this is about bugs in 'pcre' package
itself.  Fixing that does not seem to help 'python<whatever>'
as that appears to re-cycle that code with security bugs directly
and not using 'pcre' as a library.  Even if that would be used
as a statically linked library then all affected packages would
need to be at least recompiled (but most likely they need direct
patches).

So the report you qoute is not sufficient as bugzilla entries
are for a package and not for a bug with a list of all possible
packages where this may apply.  Therefore we need a corresponding
entry in bugzilla.  If you cannot and/or do not want to do that
then say so and somebody else will have to write something up.


OK, I have opened 169235 as "python2.2 integer overflow"
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169235)

Please, please double check what I did. As I've mentioned before I am not all that up to speed wrt Bugzilla best practices.

Thank you Michal for your help/explainations so far.

-Jim P.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]