This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients benjamin.peterson, serhiy.storchaka, vstinner
Date 2017-09-20.13:36:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1505914602.32.0.202654150349.issue31530@psf.upfronthosting.co.za>
In-reply-to
Content 
The bug was first reported to the private Python security mailing list. The PSRT decided that it's a regular bug and doesn't need to be categorized as a vulnerability, since the attacker has to be able to run arbitrary code in practice.

The PSRT considers that no Python 2.7 application currently rely on reading from the same file object "at the same time" from different thread, since it currently crashs.

So an attacker would have to run his/her own code... but if an attacker can already run arbitrary code, why relying on an unstable race condition and inject machine code (so not portable), whereas Python standard library is full of nice features to write your portable exploit?

For more information, see the Python security model:
https://python-security.readthedocs.io/security.html#security-model
History
Date User Action Args
2017-09-20 13:36:42vstinnersetrecipients: + vstinner, benjamin.peterson, serhiy.storchaka
2017-09-20 13:36:42vstinnersetmessageid: <1505914602.32.0.202654150349.issue31530@psf.upfronthosting.co.za>
2017-09-20 13:36:42vstinnerlinkissue31530 messages
2017-09-20 13:36:42vstinnercreate