Message 249969 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	BreamoreBoy, JohnLeitch, belopolsky, brycedarling, eryksun, georg.brandl, larry, lemburg, paul.moore, python-dev, steve.dower, tim.golden, vstinner, zach.ware
Date	2015-09-06.06:04:11
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1441519451.89.0.66286874828.issue24917@psf.upfronthosting.co.za>
In-reply-to

Content
Having now read over this whole issue, I don't actually see where the security vulnerability is (on Windows at least). This is a user-mode read, so it can only access memory in the same process, and it doesn't display it anywhere. The worst that can happen is that it hits an unreadable page and crashes, which falls under "undefined behaviour due to invalid input". I think we should just revert the patch completely.

Having now read over this whole issue, I don't actually see where the security vulnerability is (on Windows at least).

This is a user-mode read, so it can only access memory in the same process, and it doesn't display it anywhere. The worst that can happen is that it hits an unreadable page and crashes, which falls under "undefined behaviour due to invalid input".

I think we should just revert the patch completely.

History
Date	User	Action	Args
2015-09-06 06:04:11	steve.dower	set	recipients: + steve.dower, lemburg, georg.brandl, paul.moore, belopolsky, vstinner, larry, tim.golden, BreamoreBoy, python-dev, zach.ware, eryksun, JohnLeitch, brycedarling
2015-09-06 06:04:11	steve.dower	set	messageid: <1441519451.89.0.66286874828.issue24917@psf.upfronthosting.co.za>
2015-09-06 06:04:11	steve.dower	link	issue24917 messages
2015-09-06 06:04:11	steve.dower	create