CVE-2012-2135

Publication date 14 August 2012

Last updated 24 July 2024

The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python3.1	13.04 raring	Not in release
	12.10 quantal	Not in release
	12.04 LTS precise	Not in release
	11.10 oneiric	Not in release
	11.04 natty	Fixed 3.1.3-1ubuntu1.2
	10.04 LTS lucid	Fixed 3.1.2-0ubuntu3.2
	8.04 LTS hardy	Not in release
python3.2	13.04 raring	Not in release
	12.10 quantal	Not affected
	12.04 LTS precise	Fixed 3.2.3-0ubuntu3.2
	11.10 oneiric	Fixed 3.2.2-0ubuntu1.1
	11.04 natty	Fixed 3.2-1ubuntu1.2
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release
python3.3	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not in release
	11.10 oneiric	Not in release
	11.04 natty	Not in release
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Notes

jdstrand

python3 only patch in upstream bug is in Debian, but not committed upstream

mdeslaur

3.3 wasn't affected. Only tests were commited.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python3.1	Upstream: http://hg.python.org/cpython/rev/034ff986019d
python3.2	Upstream: http://hg.python.org/cpython/rev/034ff986019d
python3.3	Upstream: http://hg.python.org/cpython/rev/034ff986019d

References

Related Ubuntu Security Notices (USN)

USN-1616-1
Python 3.1 vulnerabilities
24 October 2012

USN-1615-1
Python 3.2 vulnerabilities
23 October 2012

Other references

https://www.cve.org/CVERecord?id=CVE-2012-2135