[Python-Dev] blocking 2.7 (original) (raw)

Victor Stinner victor.stinner at haypocalc.com
Sat Jul 3 14:26:53 CEST 2010

• Previous message: [Python-Dev] blocking 2.7
• Next message: [Python-Dev] blocking 2.7
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le samedi 03 juillet 2010 12:17:16, Mark Dickinson a écrit :

On Sat, Jul 3, 2010 at 4:28 AM, Benjamin Peterson <benjamin at python.org> wrote: > This is just a note that we have one bug blocking 2.7 final at the > moment: http://bugs.python.org/issue9144

I've just made http://bugs.python.org/issue7673 a release blocker too, I'm afraid. It's a potential security vulnerability in the audioop module. (CVE-2010-2089)

At least, Fedora consider it as a security vulnerability:

https://bugzilla.redhat.com/show_bug.cgi?id=598197

I agree because the crash is caused by the input data.

It's got a reviewed patch, and is ready to be committed

Thanks because my first patch was incomplete :-)

but if you're not comfortable with fixing it this late then that's completely understandable.

In the worst case, a function rejects valid data. If I have to choose, I prefer to reject valid data than a security vulnerability. But audioop has tests and I don't think that my patch breaks anything :-)

-- Victor Stinner http://www.haypocalc.com/

• Previous message: [Python-Dev] blocking 2.7
• Next message: [Python-Dev] blocking 2.7
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list