[issue29514] Add a test case that prevents magic number changes in minor releases
Serhiy Storchaka
report at bugs.python.org
Sat Feb 11 11:32:40 EST 2017
Serhiy Storchaka added the comment:
My apologies for breaking the world. But I considered this bug as security issue. Unlikely, but not impossible. The BUILD_MAP_UNPACK_WITH_CALL opcode is rarely used, but if it is used, it can cause reading arbitrary memory and either crashing or even exposing the content of this memory in error message that can be leaked to remote user. This hole would be better to close early. I expected this change would be included in 3.5.2.
The more robust solution would be to add the support of two magic numbers and check on loading whether the BUILD_MAP_UNPACK_WITH_CALL opcode is occurred in a precompiled file with old magic number. But this solution looked too excessive.
It would be nice to design a mechanism for possible future bytecode fixes.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29514>
_______________________________________
More information about the Python-bugs-list
mailing list