[Silva-general] Python unicode security vulnerability and impact on Silva deployments

Martijn Faassen faassen at infrae.com
Mon Oct 9 13:16:56 CEST 2006 

Hi there,

Recently a security vulnerability has been discovered in the Python 
interpreter. It could under certain circumstances lead to crashes or 
even remote-code execution vulnerabilities in software that uses Python, 
such as Zope and Silva.

This bug is therefore not specific to Silva alone - it affects any 
Python-based software that uses the unicode string type and exposes a 
user interface to (for instance) the web.

We do not think Silva deployments are urgently at risk, as it does 
require some skill for an anonymous web user to get crafted unicode text 
into the site, and then retrieve it again so that it is passed through 
repr(). We do however nonetheless recommend an upgrade of the Python 
version to fix this issue at the earliest opportunity.

The bug only occurs if you have a Python interpreter compiled with an 
internal unicode representation of UCS4, and does not affect 
interpreters compiled with UCS2. You can test whether this is the case 
for the Python interpreter that is used to run Zope like this:

 >>> import sys
 >>> sys.maxunicode > 65536 and 'UCS4' or 'UCS2'

Warning: you need to make sure that you use the same Python interpreter 
as the one used to run the Zope app server; you might have multiple 
Python interpreters on your system and you have to identify whether the 
one used to run Zope is at risk!

If your answer is UCS2 then you are not at risk. Normally hand-compiled 
Python versions are not at risk unles you explicitly configured it to 
work with UCS4.

If your Python interpreter is one shipped with a Linux distribution like 
Ubuntu or Red Hat, you *will* be vulnerable, as these have been 
configured with UCS4. You are also at risk if you compiled Python with 
the UCS4 option.

If the answer is UCS4, you have several options:

* wait for security-fixed version of Python 2.3 to come out, and install 
these so that your Zope uses it. At the time of this writing no such 
security release has been made at http://www.python.org

* If you are on Ubuntu Dapper and are using a system Python for your 
Zope deployment, do a system update and the fixed versions will be 
installed. If you are on another Linux distribution and use the system 
Python something similar will be possible as soon as your distribution 
releases a security fix.

* recompile your Python version so it works with UCS2. You also need to 
recompile any C-based extension library of Python that uses unicode: 
lxml is one such example.

More information:

http://sourceforge.net/tracker/index.php?func=detail&aid=1541585&group_id=5470&atid=305470

http://www.heise.de/newsticker/meldung/79153 (in German)

Regards,

Martijn

More information about the Silva-general mailing list