[Python-Dev] Security Advisory for unicode repr() bug?

M.-A. Lemburg mal at egenix.com
Sat Oct 7 16:36:00 CEST 2006

Georg Brandl wrote:
> skip at pobox.com wrote:
>>     Georg> [ Bug http://python.org/sf/1541585 ]
>>     Georg> This seems to be handled like a security issue by linux
>>     Georg> distributors, it's also a news item on security related pages.
>>     Georg> Should a security advisory be written and official patches be
>>     Georg> provided?
>> I asked about this a few weeks ago.  I got no direct response.  Secunia sent
>> mail to webmaster and the SF project admins asking about how this could be
>> exploited.  (Isn't figuring that stuff out their job?)
> Perhaps, judging from the name :)
>> This was corrected before 2.5 was released and the 2.4 source has (I think)
>> already been patched, with 2.4.4 right around the corner.  The bulk of the
>> Python installations in the field are probably running on Windows (most of
>> them provided by HP/Compaq), and it seems the Linux vendors are all over it.
>> I don't know if Apple has picked up on it (or if the version they currently
>> distribute is affected - 2.3.5 built Oct 5 2005).  Would you provide a patch
>> of some sort for Windows or just refer people to corrected installers?
>> Given the apparently miserable results trying to get Windows users to
>> install security fixes manually, I doubt a new 2.4.3 Windows installer would
>> get much exercise.
> Even if the patch / corrected installer is used by only 1% of all installations,
> reacting quickly and providing it in the first place is going to make a much
> better impression than saying "well, nobody is going to apply it and the next
> release is due in a few weeks".

Note that the bug refers to a UCS4 Python build. Most Linux
distros ship UCS4 builds nowadays, so they care. The Windows
builds are UCS2 (except maybe the ones for Win64 - don't know)
which doesn't seem to be affected.

+1 on publishing the patch for 2.4. It's always better to react
quickly in such cases, even if it just gives users a fuzzy warm
feeling of being cared for :-) Whether such patches get installed
or not is not really a question to ask, since it's not within
our responsibility.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Oct 07 2006)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::

More information about the Python-Dev mailing list