[CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format
This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description
read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions
- Python 3.9.0a1 to 3.9.0
- Python 3.8.0 to 3.8.6
- Python 3.7.0 to 3.7.9 **
- Python 3.6.13 and earlier **
** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds
- Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13
- Apply a patch for your corresponding version of Python
Patches are available for all supported feature, bugfix, and security branches of Python:
- main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f>
- 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e86610a>
- 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd9549ada76>
- 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4>
- 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d43b2b4>
<https://gist.github.com/#references>References
- https://www.cve.org/CVERecord?id=CVE-2022-48564
- https://bugs.python.org/issue42103
- https://github.com/python/cpython/pull/22882
<https://gist.github.com/#credits>Credits
- Reporter: Samuel Henrique
participants (1)
-
Seth Larson