Message 373117 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Iman Sharafaldin, christian.heimes, serhiy.storchaka, vstinner
Date	2020-07-06.13:58:32
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1594043912.1.0.136714629459.issue41208@roundup.psfhosted.org>
In-reply-to

Content
Python's thread model is: If an attacker can create a malicious PYC file and feed it to a Python process, then they already have full code execution privileges. There is no need to exploit a segfault. Because the marshal module should only be used for PYC files, they can straight out execute any Python code at import time. That's much simpler and works on all operating systems.

Python's thread model is:
If an attacker can create a malicious PYC file and feed it to a Python process, then they already have full code execution privileges. There is no need to exploit a segfault. Because the marshal module should only be used for PYC files, they can straight out execute any Python code at import time. That's much simpler and works on all operating systems.

History
Date	User	Action	Args
2020-07-06 13:58:32	christian.heimes	set	recipients: + christian.heimes, vstinner, serhiy.storchaka, Iman Sharafaldin
2020-07-06 13:58:32	christian.heimes	set	messageid: <1594043912.1.0.136714629459.issue41208@roundup.psfhosted.org>
2020-07-06 13:58:32	christian.heimes	link	issue41208 messages
2020-07-06 13:58:32	christian.heimes	create