STINNER Victor <[email protected]> added the comment:
Leo kirotawa silva: "I re-did the build here for python3.4 and couldn't reach
the same test fail. So I'm assuming it was a false alarm."
Python 3.4 and 3.5 seem to be also vulnerable:
---
PyObject *PyBytes_DecodeEscape(const char *s,
Py_ssize_t len,
const char *errors,
Py_ssize_t unicode,
const char *recode_encoding)
{
...
Py_ssize_t newlen = recode_encoding ? 4*len:len;
v = PyBytes_FromStringAndSize((char *)NULL, newlen);
---
I don't think that Python 3.6 and 3.7 are vulnerable, the code was rewritten
with the _PyBytesWriter API. The code got a new _PyBytes_DecodeEscapeRecode()
helper function which calls _PyBytesWriter_WriteBytes(), and this function
detects properly integer overflows.
----------
nosy: +vstinner
resolution: fixed ->
status: closed -> open
title: Unsafe arithmetic in PyString_DecodeEscape -> CVE-2017-1000158: Unsafe
arithmetic in PyString_DecodeEscape
versions: +Python 2.7, Python 3.5
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue30657>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
