Message 364786 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Junyu Zhang
Recipients	Junyu Zhang
Date	2020-03-22.05:58:16
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1584856696.55.0.228869164986.issue40039@roundup.psfhosted.org>
In-reply-to

Content
description: When we were using python to develop a distributed process service, I noticed that the default serialization parameter of Manager and ManagerBase in multiprocessing was pickl, and it didn't seem to be mentioned in the official website's documentation. This is unsafe unless our server is completely You can trust recv data, but if authkey is not set or leaked, it will cause RCE on the server side, so I applied for a CVE-ID to remind everyone to use this security issue. For details of the vulnerability and the poc code, please refer to the pdf file.

description:
When we were using python to develop a distributed process service, I noticed that the default serialization parameter of Manager and ManagerBase in multiprocessing was pickl, and it didn't seem to be mentioned in the official website's documentation. This is unsafe unless our server is completely You can trust recv data, but if authkey is not set or leaked, it will cause RCE on the server side, so I applied for a CVE-ID to remind everyone to use this security issue. For details of the vulnerability and the poc code, please refer to the pdf file.

History
Date	User	Action	Args
2020-03-22 05:58:16	Junyu Zhang	set	recipients: + Junyu Zhang
2020-03-22 05:58:16	Junyu Zhang	set	messageid: <1584856696.55.0.228869164986.issue40039@roundup.psfhosted.org>
2020-03-22 05:58:16	Junyu Zhang	link	issue40039 messages
2020-03-22 05:58:16	Junyu Zhang	create