This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org). Thanks to Samuel Henrique for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly.

Description

read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

Affected versions

• Python 3.9.0a1 to 3.9.0
• Python 3.8.0 to 3.8.6
• Python 3.7.0 to 3.7.9 **
• Python 3.6.13 and earlier **

** Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions) contact your distributor of Python for additional guidance.

Remediation and work-arounds

• Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13
• Apply a patch for your corresponding version of Python

Patches are available for all supported feature, bugfix, and security branches of Python:

• main: 34637a0ce21e7261b952fbd9d006474cc29b681f
• 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a
• 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76
• 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4
• 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4

References

• https://www.cve.org/CVERecord?id=CVE-2022-48564
• https://bugs.python.org/issue42103
• https://github.com/python/cpython/pull/22882

Credits

• Reporter: Samuel Henrique