[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()
fijall at gmail.com
Tue Feb 25 19:38:46 CET 2014
On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw <barry at python.org> wrote:
> On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>>Oh, I thought security fixes go to all python releases.
> Well, not the EOL'd ones of course.
yes of course sorry.
> Where's the analysis on backporting SIPHash to older Python versions? Would
> such a backport break backward compatibility? What other impacts would
> backporting have? Would it break pickles, marshals, or other serialization
> protocols? Are there performance penalties?
> While security should be a top priority, it isn't the only consideration in
> such cases. A *lot* of discussion went into how to effect the hash
> randomization in Python 2.7, because of questions like these. The same
> analysis would have to be done for backporting this change to active older
> Python versions.
My impression is that a lot of discussion went into hash
randomization, because it was a high profile issue. It got "fixed",
then later someone discovered that the fix is completely broken and
was left at that without much discussion because it's no longer "high
visibility". I would really *like* to perceive this process as a lot
of discussion going into because of ramification of changes.
More information about the Python-Dev