Message302613
The bug was first reported to the private Python security mailing list. The PSRT decided that it's a regular bug and doesn't need to be categorized as a vulnerability, since the attacker has to be able to run arbitrary code in practice.
The PSRT considers that no Python 2.7 application currently rely on reading from the same file object "at the same time" from different thread, since it currently crashs.
So an attacker would have to run his/her own code... but if an attacker can already run arbitrary code, why relying on an unstable race condition and inject machine code (so not portable), whereas Python standard library is full of nice features to write your portable exploit?
For more information, see the Python security model:
https://python-security.readthedocs.io/security.html#security-model |
|
Date |
User |
Action |
Args |
2017-09-20 13:36:42 | vstinner | set | recipients:
+ vstinner, benjamin.peterson, serhiy.storchaka |
2017-09-20 13:36:42 | vstinner | set | messageid: <1505914602.32.0.202654150349.issue31530@psf.upfronthosting.co.za> |
2017-09-20 13:36:42 | vstinner | link | issue31530 messages |
2017-09-20 13:36:42 | vstinner | create | |
|