[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Maciej Fijalkowski fijall at gmail.com
Tue Feb 25 19:38:46 CET 2014

On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw <barry at python.org> wrote:
> On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>>Oh, I thought security fixes go to all python releases.
> Well, not the EOL'd ones of course.

yes of course sorry.

> Where's the analysis on backporting SIPHash to older Python versions?  Would
> such a backport break backward compatibility?  What other impacts would
> backporting have?  Would it break pickles, marshals, or other serialization
> protocols?  Are there performance penalties?
> While security should be a top priority, it isn't the only consideration in
> such cases.  A *lot* of discussion went into how to effect the hash
> randomization in Python 2.7, because of questions like these.  The same
> analysis would have to be done for backporting this change to active older
> Python versions.

My impression is that a lot of discussion went into hash
randomization, because it was a high profile issue. It got "fixed",
then later someone discovered that the fix is completely broken and
was left at that without much discussion because it's no longer "high
visibility". I would really *like* to perceive this process as a lot
of discussion going into because of ramification of changes.


More information about the Python-Dev mailing list