[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Christian Heimes christian at python.org
Tue Feb 25 08:39:40 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

this looks pretty serious -- and it caught me off guard, too. :(

https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/

Next time please inform the Python Security Response Team about any
and all issues that are related to buffer overflows or similar bugs.
In fact please drop a note about anything that even remotely look like
an exploitable issue. Even public bug reports should be forwarded to PSRT.

I have requested a CVE number. How about security releases? The
upcoming 3.3 and 3.4 release should contain the fix (not verified
yet). Python 2.7 to 3.2 will need a security release, though.

Regards
Christian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTDEi1AAoJEMeIxMHUVQ1FdAwP/j36bioIzz+kFvX9AEo2Bxtq
H+JsvRxiWHJrXLG0YUf1AolW+s92/2dRAYLq86DQa7PK2rvrqR4bQUOP+fLi9hdT
5b9YF4mHhBtte9lTDwESYw4IXtoOz4gbhXpY/dGGLjiEeWYNgRl40xSZYXf6cZfR
okRRE0c6EZ9WnAYWl1vW1oUzPjua0KOpVOhvabog/YNSPL3SW8shWANpu0fg/n+G
guBYTP90pgUEz7Jc20xeVAB9BeZoC/jjDPv1QRMu+PWjyFeaI4iLdNe3loRXBYy1
xmzHxQACzQR45lxAzCoBwBopC49JIF7o7pnTBrY9id9j0yRMAPC/N1uQCceLO1yc
GoKardxzUT9IX++yfLTOYwdGnpXDQeXUbHAImcWNGMN8QfsWUFBezPmqKM7tfTNR
I/khqTaLPewr58z4d/erfJ5wSEHVdyWASmUWGniS9jjfFNVBDNA2pSPBCP9TJhK5
30BOnKB+MMNG+LCe5chiQOyKje/pbfwrEwwrdiJYCOSXK+w/hbPClNBBq4w9XXVk
sIIk5xO1IZ4rMG/YLkg9vaWzn7Yi6O0GJXOmQWp+22kYwaQK+3l6qqSSo2laMVN8
c6sLFng3loO1v3SDO0AOTTU2VcdsS0SdYLkEXMwHK/tRWeXWrwC5HrYnFS0Hu0iI
EQlaImb433lu8mHrvPEx
=K5ZL
-----END PGP SIGNATURE-----


More information about the Python-Dev mailing list