Python vulnerability permits remote attacks

By Edmund X. DeJesus, Contributing Writer 11 Mar 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Thousands of applications, including many large and mission critical systems at enterprises like Industrial Light & Magic, Google and NASA, are vulnerable to a bug that could allow a remote attacker to execute arbitrary code or gain system access.

Applications and systems using Python -- including Debian GNU/Linux and Mandrake Linux -- may need to be updated or rebuilt.

For more information Click here for Secunia's advisory on the vulnerability. To upgrade Python, see here. See below for product specific information: Debian Mandrake Corporate Server 2.x or Mandrake Linux 9.x

Python is an interactive, object-oriented programming language commonly used for scripting. It runs on Unix, Windows, OS/2, Mac, Amiga and other platforms.

Python developer Sebastian Schmidt has discovered vulnerability in the getaddrinfo function, which resolves a host and port into the addrinfo struct.

A remote attacker could supply a specially crafted IPv6 address via DNS that could cause a buffer overflow, permitting execution of arbitrary code and unauthorized system access. This only occurs if Python is configured without IPv6 support.

Only a week ago, another Python vulnerability was discovered involving Debian and Apache that allowed a remote denial of service.

Digg This!     StumbleUpon     Del.icio.us