[issue30657] [security] CVE-2017-1000158: Unsafe arithmetic in PyString_DecodeEscape
STINNER Victor
report at bugs.python.org
Wed Nov 29 12:09:27 EST 2017
STINNER Victor <victor.stinner at gmail.com> added the comment:
Serhiy: "I don't think it is worth to add this vulnerability to the python-security website. You need to compile a 1 GiB Python file on 32-bit system for reproducing it. It is very unlikely that this can happen by accident, and it is hard to used it in security attack. If you can make the attacked program compiling a 1 GiB Python file, you perhaps have easier ways to make a harm."
I'm trying to keep track of all CVEs. People are scared by CVE numbers :-( But it seems like any bug can get a CVE number, without any real evalution of the severity of the bug.
I completed the description on python-security with your paragraph.
FYI I wrote python-security to make sure that vulnerabilities are fixed in supported Python branches. Here it seems like we forgot to fix Python 3.4 and 3.5.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue30657>
_______________________________________
More information about the Python-bugs-list
mailing list