Message208062
recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.
I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.
Quickie trigger script, crash on interpreter exit:
--------- BEGIN SEGFAULT ---------
import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024) |
|
Date |
User |
Action |
Args |
2014-01-14 00:43:59 | rmsr | set | recipients:
+ rmsr |
2014-01-14 00:43:59 | rmsr | set | messageid: <1389660239.25.0.341393063834.issue20246@psf.upfronthosting.co.za> |
2014-01-14 00:43:59 | rmsr | link | issue20246 messages |
2014-01-14 00:43:59 | rmsr | create | |
|