Message 332354 - Python tracker

Message332354

Author	serhiy.storchaka
Recipients	eric.smith, serhiy.storchaka, vstinner, xtreak
Date	2018-12-22.16:14:26
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1545495266.24.0.0770528567349.issue35560@roundup.psfhosted.org>
In-reply-to

Content
This bug is not new, and this is the first report for it. It can be treated as a security issue if an application allows user to specify format string. But using a format string from untrusted source causes a security issue itself, because this allows to spend memory and CPU time for creating an arbitrary large string object. Also, unlikely debug builds be used in production. I would backport the solution of this issue to 3.6, but it is not bad if it will be not backported. I think this is not a release blocker.

Content

This bug is not new, and this is the first report for it. It can be treated as a security issue if an application allows user to specify format string. But using a format string from untrusted source causes a security issue itself, because this allows to spend memory and CPU time for creating an arbitrary large string object. Also, unlikely debug builds be used in production.

I would backport the solution of this issue to 3.6, but it is not bad if it will be not backported. I think this is not a release blocker.

History
Date	User	Action	Args
2018-12-22 16:14:28	serhiy.storchaka	set	recipients: + serhiy.storchaka, vstinner, eric.smith, xtreak
2018-12-22 16:14:26	serhiy.storchaka	set	messageid: <1545495266.24.0.0770528567349.issue35560@roundup.psfhosted.org>
2018-12-22 16:14:26	serhiy.storchaka	link	issue35560 messages
2018-12-22 16:14:26	serhiy.storchaka	create