CVE-2010-2089
First published: Mon Jan 11 2010(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2010-2089">CVE-2010-2089</a> to the following vulnerability: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than <a href="https://access.redhat.com/security/cve/CVE-2010-1634">CVE-2010-1634</a>. References: [1] <a href="http://bugs.python.org/issue7673">http://bugs.python.org/issue7673</a> Public PoC (from [1]): $ python -c "import audioop; audioop.reverse('X', 2)" Fatal Python error: Inconsistent interned string state. Abandon
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Python | >=3.1.0<3.1.3 | |
| Python Python | >=2.6.0<2.6.6 | |
| Python Python | >=2.5.0<2.5.6 | |
| redhat/python | <0:2.3.4-14.10.el4 | 0:2.3.4-14.10.el4 |
| redhat/python | <0:2.4.3-43.el5 | 0:2.4.3-43.el5 |
| ubuntu/python2.4 | <2.4.5-1ubuntu4.4 | 2.4.5-1ubuntu4.4 |
| ubuntu/python2.5 | <2.5.2-2ubuntu6.2 | 2.5.2-2ubuntu6.2 |
| ubuntu/python2.6 | <2.6.5-1ubuntu6.1 | 2.6.5-1ubuntu6.1 |
| ubuntu/python2.6 | <2.6.5+20100706-1 | 2.6.5+20100706-1 |
| ubuntu/python2.7 | <2.7-1 | 2.7-1 |
| ubuntu/python3.1 | <3.1.2-0ubuntu3.2 | 3.1.2-0ubuntu3.2 |
| ubuntu/python3.1 | <3.1.3-1 | 3.1.3-1 |
| ubuntu/python3.2 | <3.2 | 3.2 |
| debian/python2.7 | 2.7.18-8+deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.python.org/issue7673
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html
- http://www.securityfocus.com/bid/40863
- http://secunia.com/advisories/40194
- http://www.vupen.com/english/advisories/2010/1448
- https://bugzilla.redhat.com/show_bug.cgi?id=598197
- http://www.vupen.com/english/advisories/2011/0122
- http://www.redhat.com/support/errata/RHSA-2011-0027.html
- http://secunia.com/advisories/42888
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
- http://secunia.com/advisories/43068
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://www.vupen.com/english/advisories/2011/0212
- http://support.apple.com/kb/HT5002
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://www.ubuntu.com/usn/USN-1596-1
- http://www.ubuntu.com/usn/USN-1613-2
- http://www.ubuntu.com/usn/USN-1613-1
- http://secunia.com/advisories/51040
- http://secunia.com/advisories/50858
- http://www.ubuntu.com/usn/USN-1616-1
- http://secunia.com/advisories/51087
- http://secunia.com/advisories/51024
- https://www.cve.org/CVERecord?id=CVE-2010-2089 https://nvd.nist.gov/vuln/detail/CVE-2010-2089
- https://access.redhat.com/errata/RHSA-2011:0491
- https://access.redhat.com/errata/RHSA-2011:0027
- https://access.redhat.com/security/cve/CVE-2010-2089
- https://launchpad.net/bugs/cve/CVE-2010-2089
- https://access.redhat.com/security/cve/CVE-2010-1634
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=418359&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=418359&action=edit
- http://admin.fedoraproject.org/updates/python-2.6.2-8.fc12
- http://admin.fedoraproject.org/updates/python-2.6.4-27.fc13
- http://admin.fedoraproject.org/updates/python-2.6-14.fc11
- http://admin.fedoraproject.org/updates/python3-3.1.2-6.fc13
- http://admin.fedoraproject.org/updates/python26-2.6.5-5.el5
- https://rhn.redhat.com/errata/RHSA-2011-0027.html
- https://rhn.redhat.com/errata/RHSA-2011-0491.html
- https://security-tracker.debian.org/tracker/CVE-2010-2089
- https://ubuntu.com/security/notices/USN-1596-1
- https://ubuntu.com/security/notices/USN-1613-1
- https://ubuntu.com/security/notices/USN-1613-2
- https://ubuntu.com/security/notices/USN-1616-1
- https://www.cve.org/CVERecord?id=CVE-2010-2089
- https://nvd.nist.gov/vuln/detail/CVE-2010-2089
- http://svn.python.org/view?view=rev&revision=82494
- http://hg.python.org/cpython/rev/29116b2fcffe
- http://hg.python.org/cpython/rev/7184421f83b5
- http://hg.python.org/cpython/rev/b67f720998a8
- https://ubuntu.com/security/CVE-2010-2089
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2010-2089?
CVE-2010-2089 is a vulnerability in the audioop module in Python 2.7 and 3.2 that allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments.
How does CVE-2010-2089 impact Python?
CVE-2010-2089 can cause a denial of service (memory corruption and application crash) in Python 2.7 and 3.2.
What is the severity of CVE-2010-2089?
CVE-2010-2089 has a severity value of 5, which is considered medium severity.
Which versions of Python are affected by CVE-2010-2089?
CVE-2010-2089 affects Python versions 2.5.0 to 2.6.6, 3.1.0 to 3.1.3, 2.7, and 3.2.
Are there any fixes available for CVE-2010-2089?
Yes, fixes for CVE-2010-2089 are available for the affected versions of Python.
- collector/nvd-historical
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-2089
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/event
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/python
- canonical/python python
- version/python python/3.1.0
- version/python python/2.6.0
- version/python python/2.5.0
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian