[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Antoine Pitrou solipsis at pitrou.net
Tue Feb 25 19:49:24 CET 2014

On Tue, 25 Feb 2014 20:38:46 +0200
Maciej Fijalkowski <fijall at gmail.com> wrote:
> My impression is that a lot of discussion went into hash
> randomization, because it was a high profile issue. It got "fixed",
> then later someone discovered that the fix is completely broken and
> was left at that without much discussion because it's no longer "high
> visibility". I would really *like* to perceive this process as a lot
> of discussion going into because of ramification of changes.

Most of the discussion, AFAIR, was about the potential backwards
compatibility issues (which led to the decision of adding hash
randomization in 2.7, but disabled by default).

But you're right that for some reason it suddenly became a "high
profile issue" while the general attack mechanism had apparently been
known for years.
(and AFAIK there's no proof of actual attacks in the wild)



More information about the Python-Dev mailing list