[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Nick Coghlan ncoghlan at gmail.com
Tue Feb 25 08:53:49 CET 2014

On 25 February 2014 17:39, Christian Heimes <christian at python.org> wrote:
> Hash: SHA512
> Hi,
> this looks pretty serious -- and it caught me off guard, too. :(
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
> Next time please inform the Python Security Response Team about any
> and all issues that are related to buffer overflows or similar bugs.
> In fact please drop a note about anything that even remotely look like
> an exploitable issue. Even public bug reports should be forwarded to PSRT.
> I have requested a CVE number. How about security releases? The
> upcoming 3.3 and 3.4 release should contain the fix (not verified
> yet).

I've checked these, and noted the relevant hg.python.org links on the
tracker issue at http://bugs.python.org/issue20246

> Python 2.7 to 3.2 will need a security release, though.



Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list