This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients alexandre.vassalotti, benjamin.peterson, hroncok, mcepl, miss-islington, serhiy.storchaka, shuoz, vstinner, xtreak
Date 2019-01-22.12:34:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1548160449.46.0.366589851428.issue34656@roundup.psfhosted.org>
In-reply-to
Content
New changeset a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd by Benjamin Peterson in branch 'master':
closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261)
https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd

It seems like this patch changes the implementation of the internal "memo" object which is a custom C type in Python 3.

In Python 2 cPickle, the memo is a regular dictionary and so I'm not sure that Python 2 is affected by this vulnerability.

Can someone please confirm?
History
Date User Action Args
2019-01-22 12:34:10vstinnersetrecipients: + vstinner, alexandre.vassalotti, benjamin.peterson, mcepl, serhiy.storchaka, hroncok, miss-islington, xtreak, shuoz
2019-01-22 12:34:09vstinnersetmessageid: <1548160449.46.0.366589851428.issue34656@roundup.psfhosted.org>
2019-01-22 12:34:09vstinnerlinkissue34656 messages
2019-01-22 12:34:09vstinnercreate