[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Antoine Pitrou solipsis at pitrou.net
Tue Feb 25 12:46:30 CET 2014


On Tue, 25 Feb 2014 08:39:40 +0100
Christian Heimes <christian at python.org> wrote:
> 
> this looks pretty serious -- and it caught me off guard, too. :(
> 
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
> 
> Next time please inform the Python Security Response Team about any
> and all issues that are related to buffer overflows or similar bugs.
> In fact please drop a note about anything that even remotely look like
> an exploitable issue. Even public bug reports should be forwarded to PSRT.

If that's the case, then can't we have an email hook on bugs.python.org
every time an issue is classified as security? (either when created or
later when modified)

"Bug reports should be forwarded to PSRT" just adds a tedious and
unnecessary manual step.

Regards

Antoine.




More information about the Python-Dev mailing list