Message 334209 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	alexandre.vassalotti, benjamin.peterson, hroncok, mcepl, miss-islington, serhiy.storchaka, shuoz, vstinner, xtreak
Date	2019-01-22.12:34:09
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1548160449.46.0.366589851428.issue34656@roundup.psfhosted.org>
In-reply-to

Content
New changeset a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd by Benjamin Peterson in branch 'master': closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261) https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd It seems like this patch changes the implementation of the internal "memo" object which is a custom C type in Python 3. In Python 2 cPickle, the memo is a regular dictionary and so I'm not sure that Python 2 is affected by this vulnerability. Can someone please confirm?

New changeset a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd by Benjamin Peterson in branch 'master':
closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261)
https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd

It seems like this patch changes the implementation of the internal "memo" object which is a custom C type in Python 3.

In Python 2 cPickle, the memo is a regular dictionary and so I'm not sure that Python 2 is affected by this vulnerability.

Can someone please confirm?

History
Date	User	Action	Args
2019-01-22 12:34:10	vstinner	set	recipients: + vstinner, alexandre.vassalotti, benjamin.peterson, mcepl, serhiy.storchaka, hroncok, miss-islington, xtreak, shuoz
2019-01-22 12:34:09	vstinner	set	messageid: <1548160449.46.0.366589851428.issue34656@roundup.psfhosted.org>
2019-01-22 12:34:09	vstinner	link	issue34656 messages
2019-01-22 12:34:09	vstinner	create