This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author JohnLeitch
Recipients BreamoreBoy, JohnLeitch, belopolsky, brycedarling, eryksun, georg.brandl, larry, lemburg, paul.moore, python-dev, steve.dower, tim.golden, vstinner, zach.ware
Date 2015-09-06.06:34:54
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1441521294.85.0.177418140959.issue24917@psf.upfronthosting.co.za>
In-reply-to
Content 
Yes, this is a user-mode read, but I disagree with the assertion that it's not possible to use this to disclose memory. While it isn't as critical as something that outright dumps memory, there is logic that throws exceptions based on values encountered while reading outside the bounds of the buffer. This could be used as a channel to infer what is or isn't in adjacent memory. That it's user-mode doesn't matter--if an application exposes the format string as attack surface, suddenly process memory can be probed. So, it's not heartbleed, but it does have security implications. If you'd like, I can take a shot at building a PoC.

Further, it's best to err on the side of caution with bugs like these; just because it doesn't seem like major issue now doesn't mean someone won't come along in the future and prove otherwise.
History
Date User Action Args
2015-09-06 06:34:54JohnLeitchsetrecipients: + JohnLeitch, lemburg, georg.brandl, paul.moore, belopolsky, vstinner, larry, tim.golden, BreamoreBoy, python-dev, zach.ware, eryksun, steve.dower, brycedarling
2015-09-06 06:34:54JohnLeitchsetmessageid: <1441521294.85.0.177418140959.issue24917@psf.upfronthosting.co.za>
2015-09-06 06:34:54JohnLeitchlinkissue24917 messages
2015-09-06 06:34:54JohnLeitchcreate