Official Python Security Annoucement
See the official Python Security Annoucement.
![/!\](/moin_static19/modernized/img/alert.png "/!\")
This is not about a MoinMoin bug, but about a Python Interpreter bug. So it affects every Python application. Security bugs in Python are rare, but they happen.
This page looks at the bug from a MoinMoin perspective.
Severeness
MoinMoin uses repr() and %r at quite some places in own code and in code we distribute as part of MoinMoin.
It is not possible to deeply review all that code in a short timeframe, so the best advice we can give now is that you should upgrade your Python if you have a buggy Python.
Do I have a buggy Python?
Python >= 2.5c2 (including the 2.5 release) is not vulnerable. Python <= 2.5c1 is vulnerable. Python 2.4.4 and 2.3.6 (see 'python -V') are not vulnerable.
If your Python is a UCS4 build and < 2.5, it is vulnerable. Known UCS4 builds include:
- Debian
- Ubuntu
- Gentoo*
If your Python is a UCS2 build, it is not vulnerable. Known UCS2 builds include:
- Windows (win32) executables from python.org
Mac OS X 10.[3-4] - comes with Python 2.3. Python 2.4.3 installed from MacPorts is also UCS2 build.
What shall I do?
If you run a distribution package (e.g. from a Linux distributor), there are fixed packages for most distributors - please install them.
* N.B. If you are on Gentoo, you can emerge Python with the ucs2 USE flag (and mod_python, if you use it) to switch to ucs2.
If you run Windows then you are not vulnerable because the default build is UCS2. If you have compiled a python on your own check if you arn't running a python with enabled ucs4
If upgrading to Python 2.5 is an option for you: this will also fix the bug.
Running moin 1.5.5a with Python 2.5 works (the wikifarm on this server runs on py 2.5).
Do i have a python with ucs4?
Check it with this code:
$ python -c "import sys ; print sys.maxunicode > 65535"
If this command returns "True" you have a python with enabled ucs4, otherwise you have a python with ucs2. Note: this does not mean that your python is vulnerable - check the version number. Fixed python versions with ucs4 enable will still return "True" here.
Do I have a buggy python version?
Check it with this code:
python2.4 -c 'assert(repr(u"\U00010000" * 39 + u"\uffff" * 4096)) == (repr(u"\U00010000" * 39 + u"\uffff" * 4096))'
If this command prints nothing then it is ok, if the assert fails then you have a buggy version of python and need to upgrade.
Is this exploitable?
We do not know. There has not been an exploit yet.