[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread Pablo Galindo Salgado
Change by Pablo Galindo Salgado : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
miss-islington added the comment: New changeset 993811ffe75c2573f97fb3fd1414b34609b8c8db by Miss Islington (bot) in branch '3.8': bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
Change by miss-islington : -- pull_requests: +17535 pull_request: https://github.com/python/cpython/pull/18149 ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread Ned Deily
Ned Deily added the comment: New changeset c563f409ea30bcb0623d785428c9257917371b76 by Ned Deily (Miss Islington (bot)) in branch '3.6': bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118) (GH-18146)

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
miss-islington added the comment: New changeset 958064f8d2b84062b0582bbae911df8ccfc11fd6 by Miss Islington (bot) in branch '3.7': bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
Change by miss-islington : -- pull_requests: +17531 pull_request: https://github.com/python/cpython/pull/18145 ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
Change by miss-islington : -- pull_requests: +17532 pull_request: https://github.com/python/cpython/pull/18146 ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread miss-islington
Change by miss-islington : -- pull_requests: +17530 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/18144 ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: New changeset 79f89e6e5a659846d1068e8b1bd8e491ccdef861 by Pablo Galindo in branch 'master': bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-23 Thread Alex Gaynor
Change by Alex Gaynor : -- keywords: +security_issue nosy: +alex ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dong-hee Na
Dong-hee Na added the comment: @pablogsal I agree with hotfix is needed and also for discussion. I left a comment for PR 18118. Please take a look :) -- ___ Python tracker

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Pablo Galindo Salgado
Change by Pablo Galindo Salgado : -- keywords: +patch pull_requests: +17505 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/18118 ___ Python tracker

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: AS this discussion will take a while and likely will have deeper consequences, in the meantime I created PR18118 to specifically fix this. -- stage: patch review -> needs patch ___ Python tracker

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dong-hee Na
Dong-hee Na added the comment: > To be honest, given how many ways this bug happens I think its time to > consider msg359023. +1 to me also -- ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Pablo Galindo Salgado
Pablo Galindo Salgado added the comment: To be honest, given how many ways this bug happens I think its time to consider msg359023. -- ___ Python tracker ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dong-hee Na
Change by Dong-hee Na : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dong-hee Na
Change by Dong-hee Na : -- stage: -> needs patch versions: -Python 3.6 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dong-hee Na
Dong-hee Na added the comment: Reproducible. It looks similar to bpo-38588. We will apply the same solution as we did at bpo-38588? or do we plan to apply the solution which is suggested on msg359023? -- nosy: +corona10, inada.naoki, pablogsal ___

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dk0n9
New submission from Dk0n9 : The variable `heap` in heappushpop does not add a reference count ```c cmp = PyObject_RichCompareBool(PyList_GET_ITEM(heap, 0), item, Py_LT); if (cmp < 0) return NULL; if (cmp == 0) { Py_INCREF(item); return item; } ``` POC:

[issue39421] Use-after-free in heappushpop() of heapq module

2020-01-22 Thread Dk0n9
Change by Dk0n9 : -- components: Extension Modules nosy: dk0n9 priority: normal severity: normal status: open title: Use-after-free in heappushpop() of heapq module type: crash versions: Python 3.6, Python 3.7, Python 3.8, Python 3.9 ___ Python