This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients alexandre.vassalotti, benjamin.peterson, hroncok, miss-islington, serhiy.storchaka, shuoz, xtreak
Date 2019-01-09.09:33:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1547026405.23.0.0683298251208.issue34656@roundup.psfhosted.org>
In-reply-to
Content 
I am not sure this issue should be classified as a security issue. It can cause DDOS, because pickle should not be used with untrusted data. If it is used, the program has more severe security issues than just DDOS.

The crash could be triggered by accident, but this is very unlikely. I doubts that this happened even once in real world.  Libraries used for handling a large amount of data (like NumPy) use more efficient pickle representation, and can provide even more efficient alternate serialization methods. Note that integers and floats are not memoized, this increases the complexity and size of data that could be affected by this bug.

But I think that this fix needs a news entry. Do you mind to add it Benjamin?
History
Date User Action Args
2019-01-09 09:33:26serhiy.storchakasetrecipients: + serhiy.storchaka, alexandre.vassalotti, benjamin.peterson, hroncok, miss-islington, xtreak, shuoz
2019-01-09 09:33:25serhiy.storchakasetmessageid: <1547026405.23.0.0683298251208.issue34656@roundup.psfhosted.org>
2019-01-09 09:33:25serhiy.storchakalinkissue34656 messages
2019-01-09 09:33:25serhiy.storchakacreate