[silva-dev] Python unicode security vulnerability and impact on Silva deployments
faassen at infrae.com
Mon Oct 9 13:16:56 CEST 2006
Recently a security vulnerability has been discovered in the Python
interpreter. It could under certain circumstances lead to crashes or
even remote-code execution vulnerabilities in software that uses Python,
such as Zope and Silva.
This bug is therefore not specific to Silva alone - it affects any
Python-based software that uses the unicode string type and exposes a
user interface to (for instance) the web.
We do not think Silva deployments are urgently at risk, as it does
require some skill for an anonymous web user to get crafted unicode text
into the site, and then retrieve it again so that it is passed through
repr(). We do however nonetheless recommend an upgrade of the Python
version to fix this issue at the earliest opportunity.
The bug only occurs if you have a Python interpreter compiled with an
internal unicode representation of UCS4, and does not affect
interpreters compiled with UCS2. You can test whether this is the case
for the Python interpreter that is used to run Zope like this:
>>> import sys
>>> sys.maxunicode > 65536 and 'UCS4' or 'UCS2'
Warning: you need to make sure that you use the same Python interpreter
as the one used to run the Zope app server; you might have multiple
Python interpreters on your system and you have to identify whether the
one used to run Zope is at risk!
If your answer is UCS2 then you are not at risk. Normally hand-compiled
Python versions are not at risk unles you explicitly configured it to
work with UCS4.
If your Python interpreter is one shipped with a Linux distribution like
Ubuntu or Red Hat, you *will* be vulnerable, as these have been
configured with UCS4. You are also at risk if you compiled Python with
the UCS4 option.
If the answer is UCS4, you have several options:
* wait for security-fixed version of Python 2.3 to come out, and install
these so that your Zope uses it. At the time of this writing no such
security release has been made at http://www.python.org
* If you are on Ubuntu Dapper and are using a system Python for your
Zope deployment, do a system update and the fixed versions will be
installed. If you are on another Linux distribution and use the system
Python something similar will be possible as soon as your distribution
releases a security fix.
* recompile your Python version so it works with UCS2. You also need to
recompile any C-based extension library of Python that uses unicode:
lxml is one such example.
http://www.heise.de/newsticker/meldung/79153 (in German)
More information about the silva-dev