[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Nick Coghlan ncoghlan at gmail.com
Tue Feb 25 21:46:00 CET 2014 

On 26 Feb 2014 04:51, "Antoine Pitrou" <solipsis at pitrou.net> wrote:
>
> On Tue, 25 Feb 2014 20:38:46 +0200
> Maciej Fijalkowski <fijall at gmail.com> wrote:
> >
> > My impression is that a lot of discussion went into hash
> > randomization, because it was a high profile issue. It got "fixed",
> > then later someone discovered that the fix is completely broken and
> > was left at that without much discussion because it's no longer "high
> > visibility". I would really *like* to perceive this process as a lot
> > of discussion going into because of ramification of changes.
>
> Most of the discussion, AFAIR, was about the potential backwards
> compatibility issues (which led to the decision of adding hash
> randomization in 2.7, but disabled by default).
>
> But you're right that for some reason it suddenly became a "high
> profile issue" while the general attack mechanism had apparently been
> known for years.
> (and AFAIK there's no proof of actual attacks in the wild)

Remote DOS attacks are so easy and so prevalent that if all a CVE does is
make them slightly easier when untrusted input isn't properly validated and
resource consumption per request isn't capped, security teams rank it as a
pretty low threat and not very interesting.

However, there was a paper that presented this one like it was a big
revelation, it stirred up a lot of complaints, so doing something about it
ended up being easier than repeatedly explaining why it didn't really
matter that much. Donald's right that the original fix just increased the
required attack payload size from 1 MB (if I recall the number correctly)
to 256 MB total, but at that point attempts to exploit it are starting to
look like a more conventional DoS (one that doesn't rely on any particular
vulnerability to be effective) anyway.

It's still nice to finally have it fixed properly in 3.4, though, and the
original change at least took care of the problem of getting people to
update their code that previously relied on consistent dict ordering.
Without that previous work, the hash change for 3.4 would have been more
challenging.

Cheers,
Nick.

>
> Regards
>
> Antoine.
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140226/4e7f6e17/attachment.html>

More information about the Python-Dev mailing list