製品・ソフトウェアに関する情報

JVN脆弱性詳細

Python における整数オーバーフローの脆弱性

Title	Python における整数オーバーフローの脆弱性
Summary	Python には、stringobject、unicodeobject、bufferobject、longobject、tupleobject、stropmodule、gcmodule、mmapmodule モジュールに関連する整数オーバーフローの脆弱性が存在します。
Possible impacts	この脆弱性による影響の詳細は不明です。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 1, 2008, midnight
Registration Date	March 17, 2009, 12:05 p.m.
Last Update	Jan. 19, 2010, 3:48 p.m.

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.3.z (server)

RHEL Desktop Workstation 5 (client)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

アップル

Apple Mac OS X v10.4.11

Apple Mac OS X v10.5.6

Apple Mac OS X Server v10.4.11

Apple Mac OS X Server v10.5.6

Python Software Foundation

Python 2.5.2 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-2315	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
National Vulnerability Database (NVD)
2	CVE-2008-2315	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2315

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT3438	http://support.apple.com/kb/HT3438
Apple セキュリティアップデート
2	HT3438	http://support.apple.com/kb/HT3438?viewlocale=ja_JP
Asianux Technical Support Network
3	python-2.4.3-24.6.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=726
MIRACLE LINUX アップデート情報
4	1757	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1757
Python
5	Top Page	http://www.python.org/
Red Hat Security Advisory
6	RHSA-2009:1176	https://rhn.redhat.com/errata/RHSA-2009-1176.html
7	RHSA-2009:1177	https://rhn.redhat.com/errata/RHSA-2009-1177.html
8	RHSA-2009:1178	https://rhn.redhat.com/errata/RHSA-2009-1178.html
Sun Alert Notification
9	273570	http://sunsolve.sun.com/search/document.do?assetkey=1-66-273570-1
レッドハットセキュリティーアップデート
10	RHSA-2009:1176	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1176J.html
11	RHSA-2009:1177	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1177J.html
12	RHSA-2009:1178	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1178J.html

その他

No	Name	URL
ISS X-Force Database
1	44172	http://xforce.iss.net/xforce/xfdb/44172
Secunia Advisory
2	SA31305	http://secunia.com/advisories/31305
3	SA33937	http://secunia.com/advisories/33937
SecurityFocus
4	30491	http://www.securityfocus.com/bid/30491
VUPEN Security
5	VUPEN/ADV-2008-2288	http://www.vupen.com/english/advisories/2008/2288

Change Log

No	Changed Details	Date of change
0	[2009年03月17日] 掲載 [2009年08月20日] 影響を受けるシステム：ミラクル・リナックス (1757) の情報を追加影響を受けるシステム：レッドハット (RHSA-2009:1176) の情報を追加影響を受けるシステム：レッドハット (RHSA-2009:1177) の情報を追加影響を受けるシステム：レッドハット (RHSA-2009:1178) の情報を追加ベンダ情報：ミラクル・リナックス (1757) を追加ベンダ情報：レッドハット (RHSA-2009:1176) を追加ベンダ情報：レッドハット (RHSA-2009:1177) を追加ベンダ情報：レッドハット (RHSA-2009:1178) を追加 [2009年10月06日] 影響を受けるシステム：ミラクル・リナックス (python-2.4.3-24.6.1AXS3) の情報を追加ベンダ情報：ミラクル・リナックス (python-2.4.3-24.6.1AXS3) を追加 [2010年01月19日] 影響を受けるシステム：サン・マイクロシステムズ (273570) の情報を追加ベンダ情報：サン・マイクロシステムズ (273570) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-2315

Summary	Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.
Publication Date	Aug. 1, 2008, 11:41 p.m.
Registration Date	Jan. 29, 2021, 1:36 p.m.
Last Update	Aug. 3, 2023, 2:14 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:python:python::::::::			2.5.2

Related information, measures and tools

No	URL	refsource	タグ
1	http://bugs.gentoo.org/attachment.cgi?id=159418&action=view	CONFIRM	Exploit
2	http://bugs.gentoo.org/show_bug.cgi?id=230640	CONFIRM	Third Party Advisory
3	http://security.gentoo.org/glsa/glsa-200807-16.xml	GENTOO	Third Party Advisory
4	http://www.mandriva.com/security/advisories?name=MDVSA-2008:164	MANDRIVA	Broken Link Third Party Advisory
5	http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.525289	SLACKWARE	Third Party Advisory
6	http://secunia.com/advisories/31305	SECUNIA	Broken Link
7	http://secunia.com/advisories/31365	SECUNIA	Broken Link
8	http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5032900	CONFIRM	Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html	SUSE	Third Party Advisory
10	http://secunia.com/advisories/31358	SECUNIA	Broken Link
11	http://www.securityfocus.com/bid/30491	BID	Third Party Advisory VDB Entry
12	http://secunia.com/advisories/31332	SECUNIA	Broken Link
13	http://www.ubuntu.com/usn/usn-632-1	UBUNTU	Third Party Advisory
14	http://secunia.com/advisories/31518	SECUNIA	Broken Link
15	http://www.mandriva.com/security/advisories?name=MDVSA-2008:163	MANDRIVA	Broken Link Third Party Advisory
16	http://secunia.com/advisories/31687	SECUNIA	Broken Link
17	http://www.openwall.com/lists/oss-security/2008/11/05/2	MLIST	Mailing List
18	http://www.openwall.com/lists/oss-security/2008/11/05/3	MLIST	Mailing List
19	http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html	APPLE	Mailing List
20	http://secunia.com/advisories/33937	SECUNIA	Broken Link
21	http://www.debian.org/security/2008/dsa-1667	DEBIAN	Third Party Advisory
22	http://secunia.com/advisories/32793	SECUNIA	Broken Link
23	http://support.apple.com/kb/HT3438	CONFIRM	Third Party Advisory
24	http://www.vupen.com/english/advisories/2009/3316	VUPEN	Broken Link Third Party Advisory
25	http://www.vmware.com/security/advisories/VMSA-2009-0016.html	CONFIRM	Third Party Advisory
26	http://secunia.com/advisories/37471	SECUNIA	Broken Link
27	http://support.avaya.com/css/P8/documents/100074697	CONFIRM	Third Party Advisory
28	http://secunia.com/advisories/38675	SECUNIA	Broken Link
29	http://www.vupen.com/english/advisories/2008/2288	VUPEN	Broken Link Third Party Advisory
30	https://exchange.xforce.ibmcloud.com/vulnerabilities/44173	XF	VDB Entry
31	https://exchange.xforce.ibmcloud.com/vulnerabilities/44172	XF	VDB Entry
32	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9761	OVAL	Broken Link
33	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8683	OVAL	Broken Link
34	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8445	OVAL	Broken Link
35	http://www.securityfocus.com/archive/1/507985/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html