[Security-announce][CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description

read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions

• Python 3.9.0a1 to 3.9.0
• Python 3.8.0 to 3.8.6
• Python 3.7.0 to 3.7.9 **
• Python 3.6.13 and earlier **

** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds

• Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13
• Apply a patch for your corresponding version of Python

Patches are available for all supported feature, bugfix, and security branches of Python:

• main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f>
• 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e86610a>
• 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd9549ada76>
• 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4>
• 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d43b2b4>

<https://gist.github.com/#references>References

• https://www.cve.org/CVERecord?id=CVE-2022-48564
• https://bugs.python.org/issue42103
• https://github.com/python/cpython/pull/22882

<https://gist.github.com/#credits>Credits

• Reporter: Samuel Henrique