RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/pickle-load-dos.html below:

pickle.load denial of service — Python Security 0.0 documentation

pickle.load denial of service¶

A bug in pickle.load() function can cause memory exhaustion denial of service.

Dates:

Disclosure date: 2018-09-13 (Python issue bpo-34656 reported)

Fixed In¶

Python 3.4.10 (2019-03-18) fixed by commit 4b42d57 (branch 3.4) (2019-02-25)
Python 3.5.7 (2019-03-18) fixed by commit ef33dd6 (branch 3.5) (2019-02-26)
Python 3.6.7 (2018-10-20) fixed by commit 71a9c65 (branch 3.6) (2018-09-21)
Python 3.7.1 (2018-10-20) fixed by commit ef4306b (branch 3.7) (2018-09-21)
Python 3.8.0 (2019-10-14) fixed by commit a4ae828 (branch 3.8) (2018-09-21)

Python issue¶

[CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393.

Python issue: bpo-34656
Creation date: 2018-09-13
Reporter: shuoz

CVE-2018-20406¶

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a “resize to twice the size” attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

CVE ID: CVE-2018-20406
Published: 2018-12-23
CVSS Score: 5.0

Timeline¶

Timeline using the disclosure date 2018-09-13 as reference:

2018-09-13: Python issue bpo-34656 reported by shuoz
2018-09-21 (+8 days): commit 71a9c65 (branch 3.6)
2018-09-21 (+8 days): commit a4ae828 (branch 3.8)
2018-09-21 (+8 days): commit ef4306b (branch 3.7)
2018-10-20 (+37 days): Python 3.6.7 released
2018-10-20 (+37 days): Python 3.7.1 released
2018-12-23 (+101 days): CVE-2018-20406 published
2019-02-25 (+165 days): commit 4b42d57 (branch 3.4)
2019-02-26 (+166 days): commit ef33dd6 (branch 3.5)
2019-03-18 (+186 days): Python 3.4.10 released
2019-03-18 (+186 days): Python 3.5.7 released
2019-10-14: Python 3.8.0 released

Links¶

https://bugzilla.redhat.com/show_bug.cgi?id=1664511

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4