The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0027 advisory.
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (CVE-2008-5983)
Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference. (CVE-2009-4134)
Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12. (CVE-2010-1449)
Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. (CVE-2010-1450)
Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634)
The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2011-0027.
##
include('compat.inc');
if (description)
{
script_id(181052);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/07");
script_cve_id(
"CVE-2008-5983",
"CVE-2009-4134",
"CVE-2010-1449",
"CVE-2010-1450",
"CVE-2010-1634",
"CVE-2010-2089"
);
script_name(english:"Oracle Linux 5 : python (ELSA-2011-0027)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2011-0027 advisory.
- Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and
possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a
path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in
the current working directory. (CVE-2008-5983)
- Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service
(application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an
invalid pointer dereference. (CVE-2009-4134)
- Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an
unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-3143.12. (CVE-2010-1449)
- Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to
have an unspecified impact via an image file containing crafted data that triggers improper processing
within the (1) longimagedata or (2) expandrow function. (CVE-2010-1450)
- Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow
context-dependent attackers to cause a denial of service (application crash) via a large fragment, as
demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer
overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634)
- The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte
string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption
and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte
string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2011-0027.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-1450");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2010-1449");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/28");
script_set_attribute(attribute:"patch_publication_date", value:"2011/01/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:tkinter");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 5', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
var pkgs = [
{'reference':'python-2.4.3-43.el5', 'cpu':'i386', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-devel-2.4.3-43.el5', 'cpu':'i386', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-libs-2.4.3-43.el5', 'cpu':'i386', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-tools-2.4.3-43.el5', 'cpu':'i386', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'tkinter-2.4.3-43.el5', 'cpu':'i386', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-2.4.3-43.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-devel-2.4.3-43.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-libs-2.4.3-43.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-tools-2.4.3-43.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},
{'reference':'tkinter-2.4.3-43.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python / python-devel / python-libs / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | linux | 5 | cpe:/o:oracle:linux:5 |
oracle | linux | python | p-cpe:/a:oracle:linux:python |
oracle | linux | python-devel | p-cpe:/a:oracle:linux:python-devel |
oracle | linux | python-libs | p-cpe:/a:oracle:linux:python-libs |
oracle | linux | python-tools | p-cpe:/a:oracle:linux:python-tools |
oracle | linux | tkinter | p-cpe:/a:oracle:linux:tkinter |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1449
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1450
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
linux.oracle.com/errata/ELSA-2011-0027.html