[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Ned Deily]

Change by Ned Deily :


--
Removed message: https://bugs.python.org/msg342084

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Ned Deily]

Ned Deily  added the comment:


New changeset 4b42d575bf0fb01192b3ec54b7e224b238691527 by larryhastings (Victor 
Stinner) in branch '3.4':
[3.4] bpo-34656: Avoid relying on signed overflow in _pickle memos (GH-9261) 
(#11870)
https://github.com/python/cpython/commit/4b42d575bf0fb01192b3ec54b7e224b238691527


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Larry Hastings]

Larry Hastings  added the comment:


New changeset ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c by larryhastings (Victor 
Stinner) in branch '3.5':
closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261) 
(#11869)
https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Larry Hastings]

Larry Hastings  added the comment:


New changeset 4b42d575bf0fb01192b3ec54b7e224b238691527 by larryhastings (Victor 
Stinner) in branch '3.4':
[3.4] bpo-34656: Avoid relying on signed overflow in _pickle memos (GH-9261) 
(#11870)
https://github.com/python/cpython/commit/4b42d575bf0fb01192b3ec54b7e224b238691527


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

STINNER Victor  added the comment:

As I wrote in my previous comment, I don't think that Python 2.7 is affected by 
this issue.

--
components: +Library (Lib) -ctypes
versions: +Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8 -Python 
2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[dfmz77669]

dfmz77669  added the comment:

In python2, Picklertype donot has tp init which has bug in python3 Pickler_Type.
I think it not effect python2.
Can you arch more infor?
thanks

--
components: +ctypes -FreeBSD
nosy: +dfmz77669
versions:  -Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[dfmz77669]

Change by dfmz77669 :


--
nosy:  -alexandre.vassalotti, benjamin.peterson, hroncok, mcepl, 
miss-islington, serhiy.storchaka, shuoz, xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

Change by STINNER Victor :


--
pull_requests: +11903

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

Change by STINNER Victor :


--
pull_requests: +11902
stage: resolved -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Matej Cepl]

Matej Cepl  added the comment:

Python 3.4 doesn't allow C99 constructs, so I had to update the patch to 
reorder iterator declarations. Just if any future colleague Python Linux distro 
maintainer needs it.

--
Added file: 
https://bugs.python.org/file48073/CVE-2018-20406-pickle_LONG_BINPUT.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

STINNER Victor  added the comment:

New changeset a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd by Benjamin Peterson in 
branch 'master':
closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261)
https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd

It seems like this patch changes the implementation of the internal "memo" 
object which is a custom C type in Python 3.

In Python 2 cPickle, the memo is a regular dictionary and so I'm not sure that 
Python 2 is affected by this vulnerability.

Can someone please confirm?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

STINNER Victor  added the comment:

> And Modules/cPickle.c is that drastically different?

Stupid me. I was surprised that Python 2.7 had no C accelerator. I was looking 
for Modules/*pickle*.c on my case sensitive Linux filesystem...

--
versions: +Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[Matej Cepl]

Matej Cepl  added the comment:

> * Python 2.7 has no C accelerator _pickle (Modules/_pickle.c)

And Modules/cPickle.c is that drastically different?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

STINNER Victor  added the comment:

Python 2.7 is not affected:

* Python 2.7 has no C accelerator _pickle (Modules/_pickle.c)
* Python 2.7 doesn't support protocol 4 (attached proof of concept)

I reopen the issue because the issue should be fixed in 3.4 and 3.5 as well, 
since it has been marked as a vulnerability (it got a CVE number).

--
nosy: +vstinner
resolution: fixed -> 
status: closed -> open
versions: +Python 3.4, Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] [CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393

[STINNER Victor]

Change by STINNER Victor :


--
title: memory exhaustion in Modules/_pickle.c:1393 -> [CVE-2018-20406] memory 
exhaustion in Modules/_pickle.c:1393

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com