Message 388399 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	hroncok
Recipients	hroncok, kj, lemburg, lukasz.langa, mdk, ned.deily, serhiy.storchaka, vstinner
Date	2021-03-10.00:31:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1615336299.11.0.620753349125.issue42988@roundup.psfhosted.org>
In-reply-to

Content
Todd Cullum from Red Hat Security team: "I don't have an account on Python's tracker, would you mind forwarding to upstream on my behalf that this is not only locally exploitable, but it can be exploited by actors on the adjacent network as well because https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5 was introduced in Python 3.7.0 alpha 1. I just used the -n option and got to read some of my own files using my cell phone on the WiFi. It does require the port to be unblocked by firewall though."

Todd Cullum from Red Hat Security team:

"I don't have an account on Python's tracker, would you mind forwarding to upstream on my behalf that this is not only locally exploitable, but it can be exploited by actors on the adjacent network as well because https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5 was introduced in Python 3.7.0 alpha 1. I just used the -n option and got to read some of my own files using my cell phone on the WiFi. It does require the port to be unblocked by firewall though."

History
Date	User	Action	Args
2021-03-10 00:31:39	hroncok	set	recipients: + hroncok, lemburg, vstinner, ned.deily, lukasz.langa, serhiy.storchaka, mdk, kj
2021-03-10 00:31:39	hroncok	set	messageid: <1615336299.11.0.620753349125.issue42988@roundup.psfhosted.org>
2021-03-10 00:31:39	hroncok	link	issue42988 messages
2021-03-10 00:31:38	hroncok	create