Skip to content

gh-119342: Fix OOM vulnerability in plistlib #119343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

gh-119342: Fix OOM vulnerability in plistlib #119343

wants to merge 3 commits into from
+56 −14

Conversation

serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented May 21, 2024
edited by bedevere-app bot
Loading

Reading a specially prepared small Plist file could cause OOM because file's read(n) preallocates a bytes object for reading the specified amount of data. Now plistlib reads large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file.

@serhiy-storchaka
pythongh-119342: Fix OOM vulnerability in plistlib
6969658 
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
@serhiy-storchaka serhiy-storchaka added type-security A security issue needs backport to 3.8 needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels May 21, 2024
@bedevere-app bedevere-app bot mentioned this pull request May 21, 2024
Open
picnixz
picnixz reviewed May 22, 2024
View reviewed changes
Lib/plistlib.py Outdated
if len(data) != size:
raise InvalidFileException
return data
cursize = min(size, 1 << 20)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to perhaps make (1 << 20) as a constant the same way you did for the pickle vulnerability?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe. In the pickle module the constant is used in several places, so there are more reasons to use a named constant there.

serhiy-storchaka and others added 2 commits May 22, 2024 16:00
@serhiy-storchaka @picnixz
Apply suggestions from code review
efcb8c5 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@serhiy-storchaka
Use a named constant.
412032b
@gpshead gpshead marked this pull request as draft May 24, 2024 19:58
@gpshead
Copy link
Member

gpshead commented May 24, 2024

I've marked this Draft for now as discussion on this on the security response team list is not complete. (we'll summarize that in a public issue once it has settled)

@gpshead gpshead mentioned this pull request Jan 20, 2025
Merged
@encukou
Copy link
Member

encukou commented Jan 27, 2025

See #119514 (comment) for results of the PSRT discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnixz picnixz picnixz left review comments

@ronaldoussoren ronaldoussoren Awaiting requested review from ronaldoussoren

Assignees
No one assigned
Labels
needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@serhiy-storchaka @gpshead @encukou @picnixz @hugovk