Python 2.2: Buffer overflow in getaddrinfo() — GLSA 200409-03

Python 2.2 has a vulnerability in DNS handling when IPV6 is disabled and a malformed IPV6 address is encountered by getaddrinfo().

Affected Packages

dev-lang/python on all architectures
Affected versions < 2.2.2
Unaffected versions >= 2.2.2, < 2.2

Background

Python is an interpreted, interactive, object-oriented, cross-platform programming language.

Description

If IPV6 is disabled in Python 2.2, getaddrinfo() is not able to handle IPV6 DNS requests properly and a buffer overflow occurs.

Impact

An attacker can execute arbitrary code as the user running python.

Workaround

Users with IPV6 enabled are not affected by this vulnerability.

Resolution

All Python 2.2 users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=dev-lang/python-2.2.2"
 # emerge ">=dev-lang/python-2.2.2"

References

Release Date
September 02, 2004

Latest Revision
September 02, 2004: 01

Severity
high

Exploitable
remote

Bugzilla entries