Skip to content

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) #4664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 8, 2017
Merged

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) #4664

merged 1 commit into from
Dec 8, 2017

Conversation

hroncok
Copy link
Contributor

@hroncok hroncok commented Dec 1, 2017
edited
Loading

Fixes possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
Original patch by Jay Bosamiya @jaybosamiya in #2174

https://bugs.python.org/issue30657

@bedevere-bot bedevere-bot added the type-bug An unexpected behavior, bug, or error label Dec 1, 2017
@hroncok
Copy link
Contributor Author

hroncok commented Dec 1, 2017

@jaybosamiya I can make you the author of that commit if you'd like, but since it's against a different file, I didn't just cherry-picked it, so I wasn't sure.

@hroncok hroncok changed the title [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) Dec 1, 2017
@bedevere-bot bedevere-bot added the type-bug An unexpected behavior, bug, or error label Dec 1, 2017
@jaybosamiya
Copy link

I'm not sure of the convention for cpython when bringing a patch from one version to another, but I'm fine with it either ways. Feel free to keep/change as you see fit :)

@hroncok
Copy link
Contributor Author

hroncok commented Dec 1, 2017

OK, let's wait what the reviewer says.

vstinner
vstinner reviewed Dec 4, 2017
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind to rewrite your commit message to mention the original author as the following syntax?

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>

vstinner
vstinner reviewed Dec 4, 2017
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself LGTM.

@hroncok @jaybosamiya
bpo-30657: Fix CVE-2017-1000158
4ac2528 
Fixes possible integer overflow in PyBytes_DecodeEscape.

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
@hroncok
Copy link
Contributor Author

hroncok commented Dec 4, 2017

Commit message changed as requested.

vstinner
vstinner approved these changes Dec 4, 2017
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@vstinner
Copy link
Member

vstinner commented Dec 4, 2017

@larryhastings: Would you mind to merge this PR?

@hroncok
Copy link
Contributor Author

hroncok commented Dec 8, 2017

For 3.4: #4758

@larryhastings larryhastings merged commit fd8614c into python:3.5 Dec 8, 2017
@hroncok hroncok deleted the fix-issue-30657 branch December 8, 2017 21:41
@hroncok
Copy link
Contributor Author

hroncok commented Dec 8, 2017

Thanks @vstinner @larryhastings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@hroncok @jaybosamiya @vstinner @larryhastings @the-knights-who-say-ni @bedevere-bot