Re: OT: What's up with the starship?

From: rurpy@xxxxxxxxx
Date: 16 Oct 2006 12:07:16 -0700

Fredrik Lundh wrote:

rurpy@xxxxxxxxx wrote:

Then perhaps you or he could explain it to us less intelligent
people in very simple terms?

the security advisory explains that the cause of the problem is a bug
in the source code used to implement repr() for 32-bit Unicode strings,
on all Python versions from 2.2 and onwards.

Python 2.2 was released in 2001.

I admit I am totally flmmexed by your answer.
What does when the bug was introduced have to do with
anything? It is present in contemporary versions of Python.
It "can lead to execution of arbitrary code". It is important
enough to drive an "emergency" (my term) bug fix python
release.

It seems to have been disscussed publically starting around
Oct 6 or 7 (I didn't do a though search so this may be wrong.)
It was fixed in Python 2.5 so either it was treated as a
ordinary bug with unrecognised security implications,
or the developers were aware of the security issues and
sat on them.

Regardless, I don't see anything in the advisory that either
makes it an unimportant issue, or makes clearly unrelated
to the starship.python.net compromise.

So could you please try to explain again in even simpler
terms?

.

Follow-Ups:
- Re: OT: What's up with the starship?
  - From: Fredrik Lundh
- Re: OT: What's up with the starship?
  - From: skip

References:
- OT: What's up with the starship?
  - From: Thomas Heller
- Re: OT: What's up with the starship?
  - From: T. Bryan
- Re: OT: What's up with the starship?
  - From: rurpy
- Re: OT: What's up with the starship?
  - From: Robert Hicks
- Re: OT: What's up with the starship?
  - From: rurpy
- Re: OT: What's up with the starship?
  - From: George Sakkis
- Re: OT: What's up with the starship?
  - From: rurpy
- Re: OT: What's up with the starship?
  - From: Fredrik Lundh
- Re: OT: What's up with the starship?
  - From: rurpy
- Re: OT: What's up with the starship?
  - From: Fredrik Lundh

Prev by Date: Re: OT: What's up with the starship?
Next by Date: Re: Need a strange sort method...
Previous by thread: Re: OT: What's up with the starship?
Next by thread: Re: OT: What's up with the starship?
Index(es):
- Date
- Thread

Relevant Pages

Re: Whats so funny? WAS Re: rotor replacement
... > party library in addition to Python, ... that's as bad as a crypto bug. ... internet is security related. ... If they're able to install external libraries, ...
(comp.lang.python)
RE: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow
... >>public view given that the source code and the entire CVS entries are freely ... center editor for eWeek not some hardcore software developer or security expert. ... sufficient to identify the bug and develop an exploit for it. ...
(Full-Disclosure)
Re: Who should security issues be reported to?
... >> Python offers no security. ... SF doesn't seem to know about any such bug any more. ... just that you wanted better documentation. ...
(comp.lang.python)
Re: Who should security issues be reported to?
... >source code and from that discover security problems, ... >somehow making it better than proprietary source code. ... Python security issues have been thrashed out in public; ... Your decision to take the private route makes it your responsibility to ...
(comp.lang.python)
Re: OpenSource documentation problems
... a bug report that says more than "this doc is no good". ... important to report documentation bugs as program bugs. ... With Python the docs seem like much more of an afterthought. ...
(comp.lang.python)