[Fwd: [SECURITY] [DSA 817-1] New python2.2 packages fix arbitrary code execution]
Jim Popovitch
jimpop at yahoo.com
Sun Sep 25 20:59:21 UTC 2005
Michal Jaegermann wrote:
> On Sun, Sep 25, 2005 at 02:51:57PM -0400, Jim Popovitch wrote:
>
>>Michal, I am confused about all your comments on this thread.
>
>
> You raised a possibility that PCRE bugs affect also various Python
> packages. Quite timely alert, I would say, and from all what we
> know by now you were right. After that we got some followups on
> the topic and some which left me somewhat baffled.
>
>
>>Now
>>today I see that you already opened a bug back on 16-Sept
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516
>
>
> Indeed I wrote that. But this is about bugs in 'pcre' package
> itself. Fixing that does not seem to help 'python<whatever>'
> as that appears to re-cycle that code with security bugs directly
> and not using 'pcre' as a library. Even if that would be used
> as a statically linked library then all affected packages would
> need to be at least recompiled (but most likely they need direct
> patches).
>
> So the report you qoute is not sufficient as bugzilla entries
> are for a package and not for a bug with a list of all possible
> packages where this may apply. Therefore we need a corresponding
> entry in bugzilla. If you cannot and/or do not want to do that
> then say so and somebody else will have to write something up.
>
OK, I have opened 169235 as "python2.2 integer overflow"
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169235)
Please, please double check what I did. As I've mentioned before I am
not all that up to speed wrt Bugzilla best practices.
Thank you Michal for your help/explainations so far.
-Jim P.
More information about the fedora-legacy-list
mailing list