[docs] Potential vulnerabilities in python (2.7.8)

Georg Brandl georg at python.org
Wed Aug 13 07:49:01 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2014 12:55 AM, Hádrian R wrote:
> Hi, I'm Hádrien Romero Soria - @Kaiwaiata??, I am a 16 year old boy,
> passionate about computer security, since more than 2h searching and
> finding various possible vulnerabilities in source code of python.. I will
> tell you some vulnerabilities now, if they treat me well I will tell the 
> other..
> 
> foolish or important things?
> 
> *#* unsafe use of */strcpy()/*:
> 
> *python.tar\python-2.7.8\modules\zipimport.c* /*lines: 83:* strcpy(buf,
> path);/
> 
> *python.tar\python-2.7.8\modules\zipimport.c* /*lines: */*/437:
> /*/strcpy(buf, path);/
> 
> *python.tar\python-2.7.8\modules\zipimport.c* */lines: 704: /*/strcpy(path,
> archive);/
> 
> *#* if an attacker manages to take control of '*/buf, path, archive/'*,
> may cause a /buffer overflow/, probably if which would be directed toward
> *.bss *it's not too dangerous but is a vulnerability./ /

Hi Hádrian,

thanks for your report.  However, this is the wrong mailing list, please report
security considerations to security at python.org.

Thanks,
Georg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlPq/E0ACgkQN9GcIYhpnLCAowCfSltzmkWz9qaq5Jc+5tbucGvc
8oYAn12m9fyZRkbnEY4+NXNlZmK7q3aJ
=7Jet
-----END PGP SIGNATURE-----


More information about the docs mailing list