This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org
).
Thanks to Samuel Henrique for reporting this vulnerability to the PSRT for a proper advisory to be published.
Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly.
read_ints
in plistlib.py
in Python 3.9.0,
3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a
potential DoS attack via CPU and RAM exhaustion when processing
malformed Apple Property List files in binary format.
** Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions) contact your distributor of Python for additional guidance.
Patches are available for all supported feature, bugfix, and security branches of Python: