Author ned.deily
Recipients BT123, ned.deily, serhiy.storchaka
Date 2018-03-02.03:43:43
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1519962224.6.0.467229070634.issue32056@psf.upfronthosting.co.za>
In-reply-to
Content
> I agree that it is very small, but I still think it is indeed a security issue, because it can crash real world program when called by some library used in Deep Learning ASR project. 

That sounds like a programming error, not a security bug.  The case you describe causes a Python exception to be raised.  As noted in the Python Language Reference: "Exceptions are a means of breaking out of the normal flow of control of a code block in order to handle errors or other exceptional conditions."  Any program using Python libraries needs to be prepared to handle a wide variety of exception, particularly if the program is dealing with external data, like an arbitrary audio file.  If a program is failing because it fails to properly check for exceptions, like by using a "try" block, that's a bug in the program, not a security problem in Python.

> Does a CVE assigned have any negative impact on you?

Yes, because it implies that there is some security problem in Python that downstream vendors and users need to be concerned about and should expect some fix or other mediation from the responsible project.  That is not the case here.

Now, as Serhily noted, it might be nice if the exception produced a more meaningful message but changing that would not change the end result for a program: it will still see an exception and either need to handle it or be terminated like with any other Python exception.
History
Date User Action Args
2018-03-02 03:43:44ned.deilysetrecipients: + ned.deily, serhiy.storchaka, BT123
2018-03-02 03:43:44ned.deilysetmessageid: <1519962224.6.0.467229070634.issue32056@psf.upfronthosting.co.za>
2018-03-02 03:43:44ned.deilylinkissue32056 messages
2018-03-02 03:43:43ned.deilycreate