Message 379175 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	wessen
Recipients	wessen
Date	2020-10-21.00:25:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1603239911.48.0.657036824442.issue42103@roundup.psfhosted.org>
In-reply-to

Content
In versions of Python from 3.4-3.10, the Python core plistlib library supports Apple's binary plist format. When given malformed input, the implementation can be forced to create an argument to struct.unpack() which consumes all available CPU and memory until a MemError is thrown as it builds the 'format' argument to unpack(). This can be seen with the following malformed example binary plist input: ``` $ xxd binary_plist_dos.bplist 00000000: 6270 6c69 7374 3030 d101 0255 614c 6973 bplist00...UaLis 00000010: 74a5 0304 0506 0000 00df 4251 4351 44a3 t.........BQCQD. 00000020: 0809 0a10 0110 0210 0308 0b11 1719 1b1d ................ 00000030: 0000 0101 0000 0000 0000 000b 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0029 ...........) ``` The error is reached in the following lines of plistlib.py: (https://github.com/python/cpython/blob/e9959c71185d0850c84e3aba0301fbc238f194a9/Lib/plistlib.py#L485) ``` def _read_ints(self, n, size): data = self._fp.read(size * n) if size in _BINARY_FORMAT: return struct.unpack('>' + _BINARY_FORMAT[size] * n, data) ``` When the malicious example above is opened by plistlib, it results in 'n' being controlled by the input and it can be forced to be very large. Plistlib attempts to build a string which is as long as 'n', consuming excessive resources. Apple's built in utilities for handling plist files detects this same file as malformed and will not process it.

In versions of Python from 3.4-3.10, the Python core plistlib library supports Apple's binary plist format. When given malformed input, the implementation can be forced to create an argument to struct.unpack() which consumes all available CPU and memory until a MemError is thrown as it builds the 'format' argument to unpack().

This can be seen with the following malformed example binary plist input:

```
$ xxd binary_plist_dos.bplist
00000000: 6270 6c69 7374 3030 d101 0255 614c 6973  bplist00...UaLis
00000010: 74a5 0304 0506 0000 00df 4251 4351 44a3  t.........BQCQD.
00000020: 0809 0a10 0110 0210 0308 0b11 1719 1b1d  ................
00000030: 0000 0101 0000 0000 0000 000b 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0029            ...........)

```
The error is reached in the following lines of plistlib.py:
(https://github.com/python/cpython/blob/e9959c71185d0850c84e3aba0301fbc238f194a9/Lib/plistlib.py#L485)

```
    def _read_ints(self, n, size):
        data = self._fp.read(size * n)
        if size in _BINARY_FORMAT:
            return struct.unpack('>' + _BINARY_FORMAT[size] * n, data)
```
When the malicious example above is opened by plistlib, it results in 'n' being controlled by the input and it can be forced to be very large. Plistlib attempts to build a string which is as long as 'n', consuming excessive resources.

Apple's built in utilities for handling plist files detects this same file as malformed and will not process it.

History
Date	User	Action	Args
2020-10-21 00:25:11	wessen	set	recipients: + wessen
2020-10-21 00:25:11	wessen	set	messageid: <1603239911.48.0.657036824442.issue42103@roundup.psfhosted.org>
2020-10-21 00:25:11	wessen	link	issue42103 messages
2020-10-21 00:25:10	wessen	create