[issue41208] An exploitable segmentation fault in marshal module
Serhiy Storchaka
report at bugs.python.org
Mon Jul 6 10:35:30 EDT 2020
Serhiy Storchaka <storchaka+cpython at gmail.com> added the comment:
No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it.
It may be interesting to make marshal deserialization more robust if it does not affect performance. But it would be a new feature, not a bug fix, and not a security fix.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41208>
_______________________________________
More information about the Python-bugs-list
mailing list