
On Wed, Mar 5, 2008 at 8:33 PM, Leonardo Santagada <santagada@gmail.com> wrote:
On 05/03/2008, at 16:03, Aaron Watters wrote:
Guido pointed out that previous versions of marshal could crash python.
I replied that that is a bug and all known instances have been fixed. Pickle executes arbitrary code by design -- which is much worse than just crashing a program.
Just read carefully what Guido said, if there is a bug it can not just crash your program, it can execute any kind of code, as bad or even worse than pickle... that is what is called a buffer overflow
I'd like to know the actual number of successful buffer overflow attacks that have ever happened on the planet in the wild. Maybe one? Okay, according to Wikipedia there have been 4. I don't really know but I think an overflowing buffer in marshal is not very likely to be somewhere near where a code segment could jump to because almost everything in marshal is dynamically allocated. The known attacks have been where the arrays were in static locations, I believe. And it's not worse than pickle because pickle is perfectly capable of compiling and loading an assembly language component without you knowing anything about it. Pickle can do anything that the computer can do. Also it's not worse than pickle because you have to be a highly experienced and perverted assembly language programmer to construct an overflow attack and there has to be a bug in marshal to allow it. To abuse pickle requires almost no skill at all, and you don't have to be perverted, you just have to be stupid. In fact pickle is designed to execute arbitrary code, and even documented. For all I know it's just as feasible to stage buffer overflow attacks in many other places in python as it is in marshal -- like maybe unicode.join or anyplace else where an array is constructed. Which is to say it's not very feasible in those places either. I was clearly off my medication to start this discussion. I suppose misleading people into thinking marshal is dangerous is better than suggesting pickle is safe. Peace and love everyone. bye now. -- Aaron Watters