[Python-Dev] Security Advisory for unicode repr() bug?

Georg Brandl g.brandl at gmx.net
Sat Oct 7 14:27:09 CEST 2006

skip at pobox.com wrote:
>     Georg> [ Bug http://python.org/sf/1541585 ]
>     Georg> This seems to be handled like a security issue by linux
>     Georg> distributors, it's also a news item on security related pages.
>     Georg> Should a security advisory be written and official patches be
>     Georg> provided?
> I asked about this a few weeks ago.  I got no direct response.  Secunia sent
> mail to webmaster and the SF project admins asking about how this could be
> exploited.  (Isn't figuring that stuff out their job?)

Perhaps, judging from the name :)

> This was corrected before 2.5 was released and the 2.4 source has (I think)
> already been patched, with 2.4.4 right around the corner.  The bulk of the
> Python installations in the field are probably running on Windows (most of
> them provided by HP/Compaq), and it seems the Linux vendors are all over it.
> I don't know if Apple has picked up on it (or if the version they currently
> distribute is affected - 2.3.5 built Oct 5 2005).  Would you provide a patch
> of some sort for Windows or just refer people to corrected installers?
> Given the apparently miserable results trying to get Windows users to
> install security fixes manually, I doubt a new 2.4.3 Windows installer would
> get much exercise.

Even if the patch / corrected installer is used by only 1% of all installations,
reacting quickly and providing it in the first place is going to make a much
better impression than saying "well, nobody is going to apply it and the next
release is due in a few weeks".

[CC'ing security at python.org]


More information about the Python-Dev mailing list