--- Begin Message ---
Subject: |
Python CVE-2021-3177 |
Date: |
Thu, 18 Feb 2021 22:21:34 -0500 |
Quoting from MITRE:
------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely.
------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?
I assume that Python is considered to be "graft-able". Can anyone
confirm?
The upstream bug report:
https://bugs.python.org/issue42938
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#46631: Python CVE-2021-3177 |
Date: |
Tue, 23 Feb 2021 14:16:54 -0500 |
On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.
I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.
> Apart from that, the Guix side of things LGTM.
Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7
> Thanks for working on it!
Thanks for the review!
--- End Message ---