OT: What's up with the starship?

rurpy at yahoo.com rurpy at yahoo.com
Mon Oct 16 15:07:16 EDT 2006


Fredrik Lundh wrote:
> rurpy at yahoo.com wrote:
>
> > Then perhaps you or he could explain it to us less intelligent
> > people in very simple terms?
>
> the security advisory explains that the cause of the problem is a bug
> in the source code used to implement repr() for 32-bit Unicode strings,
> on all Python versions from 2.2 and onwards.
>
> Python 2.2 was released in 2001.

I admit I am totally flmmexed by your answer.
What does when the bug was introduced have to do with
anything?  It is present in contemporary versions of Python.
It "can lead to execution of arbitrary code".  It is important
enough to drive an "emergency" (my term) bug fix python
release.

It seems to have been disscussed publically starting around
Oct 6 or 7 (I didn't do a though search so this may be wrong.)
It was fixed in Python 2.5 so either it was treated as a
ordinary bug with unrecognised security implications,
or the developers were aware of the security issues and
sat on them.

Regardless, I don't see anything in the advisory that either
makes it an unimportant issue, or makes clearly unrelated
to the starship.python.net compromise.

So could you please try to explain again in even simpler 
terms?




More information about the Python-list mailing list