On 06. 01. 22 14:22, lxr1210--- via Python-Dev wrote:
Hi all,
I am currently doing some research on the security of CPython. I used
the open source vulnerability analysis engine,
Infer(https://fbinfer.com/), to scan the native code of CPython 3.10.0.
The scan results show that there are still a number of vulnerabilities
in the CPython native code, such as Null dereference, Uninitialized
variable, Resource/Memory leak, etc. Moreover, I found that some of the
vulnerabilities are related to Python/C API. I enclose the vulnerability
report for your reference.
The first page of these looks like false positives (except one might be
a flaw in test code).
But that's par for the course. I've spent a lot of time digging through
reports like these. Sometimes there's a bug worth fixing, sometimes it's
even an actual vulnerability, but in my experience, most of what tools
find in CPython is not actionable.
If you do find a security vulnerability, consider reporting it privately
to the security team: see https://www.python.org/dev/security/
Based on the research of the result, I tried to design a tool to
automatically detect and repair vulnerabilities in CPython and make this
tool available. See:
https://github.com/PVMPATCH/PVMPatch
Python is my favourite programming language. I sincerely hope that I can
help Python become stronger and safer. I hope this discovery can be
useful for you to develop Python in the future.
Thank you for your time and consideration!
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/PRDD4CROYQFER3J3YYIKEAK5KHQECKHR/
Code of Conduct: http://python.org/psf/codeofconduct/
