This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly.
*Description*
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
*Affected versions*
- Python 3.9.0a1 to 3.9.0a2 *
- Python 3.8.0 to 3.8.1
- Python 3.7.0 to 3.7.6 **
- Python 3.6.10 and earlier **
- *Pre-release versions of Python are not recommended for production use.*
** *Note that Python 3.7.17 and earlier will not be receiving an upstreamsecurity fix due to being end-of-life* ( https://devguide.python.org/versions) contact your distributor of Python for additional guidance.
*Remediation and work-arounds*
- Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11.
- Apply a patch for your corresponding version of Python
Patches are available for all supported feature, bugfix, and security branches of Python:
- main: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccd...
- 3.8: https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609b...
- 3.7: https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccfc...
- 3.6: https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c92579173...
*References*
- https://www.cve.org/CVERecord?id=CVE-2022-48560
- https://bugs.python.org/issue39421
- https://github.com/python/cpython/pull/18118
*Credits*
- Reporter: Samuel Henrique