Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
The issue is public.

Date: Thu, 3 Apr 2008 14:39:17 -0700
From: David Remahl <dremahl@apple.com>
To: vendor-sec@lst.de, coley@mitre.org
Subject: [vendor-sec] Integer overflow related to [CVE-2007-4965] in python imageop module
CC: Guido van Rossum <guido@python.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Python distribution vendors,

http://bugs.python.org/issue1179

When making some test cases for the public bug above, I discovered  
that there were some remaining overflows not addressed by the  
attached, unapplied, patch. At the time, I didn't realize that several  
vendors (including Apple) had already delivered the incomplete patch.  
I posted a comment in the bug, listing two issues that remain to be  
fixed:

> import imageop; imageop.rgb82rgb('A'*(2**30), 32768, 32768)
> import imageop; imageop.grey2rgb('A'*(2**30), 32768, 32768)

Therefore, these semi-new integer overflows are now considered public.  
It is probably best to assign a separate CVE to these integer  
overflows, to distinguish them from the issues that have already been  
addressed in several distributions.

Steve Christey, please assign an ID if you agree.

Sorry for the inconvenience.

/ Regards, David
// Security Engineer
// Apple Product Security

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQEVAwUBR/VOh8gAoqu4Rp5tAQJ56Af/cH8EE6Bduv5Db4nEFPRaBxi8Nq/R8GmD
WBlMYIlZxbKT14t3S5M0NTYQXXo9WB09oXWRfTkfkN72UJ1i15Xt56mOuRB23chD
0K8PsSCQM5RRvlwZKpFAjvXBlPL1uuEFlhxycr2vjjNlW/zjMXIIu4iup0b7kyUE
RtrgdRvjyaM4N6Ga130ao9h5TWWRyK++pkjA1/Qxi7sr0dY1/cSsIT7B69MPBGcT
6V2IKUu05VQwp/AcYdsxTbunD9pMzHJnqYW1RQC4BjzN1LT55krMteL9u8lQLe3R
CSO4bszF17DybbKPKxI4PpHifopyGcw9Qd4ofFzuTes+lxDCzB/7Ng==
=8mch
-----END PGP SIGNATURE-----

_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec