On 07Nov2022 12:26, Gregory P. Smith <g...@krypto.org> wrote:
I personally didn't feel this one was urgent enough to ask anyone to
spend
time doing an emergency security release as triggering the crash requires
someone sending a multi-gigabyte amount of data into a sha3 hash function
in a single .update() method call. That seems like a rare code pattern. How
many applications ever do that vs doing I/O in smaller chunks with more
frequent .update() calls?
As it happens I'm doing some work for a media archiving company and
we're looking at recording checksums for archived files. I _may_ well be
choosing to mmap a file and calling .update() on the mapping in one go.
That said, that's (a) niche and (b) not even written yet.
I think I'd still agree that this might be a nonurgent fix (haven't read
the CVE properly yet).
Cheers,
Cameron Simpson <c...@cskk.id.au>
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/AOBBVHKUAFXSY3D6T5OK53PFB44ZWY4N/
Code of Conduct: http://python.org/psf/codeofconduct/
