On Sun, Jan 9, 2022 at 7:35 PM Stephen J. Turnbull <stephenjturnb...@gmail.com> wrote: > > Chris Angelico writes: > > > Not completely, just very minorly. I'm distinguishing between attacks > > that can be triggered remotely, and those which require the attacker > > to run specific Python code. For example, using ctypes > > OK. AFAICT that was a red herring introduced to the thread solely to > support the claim "Python isn't memory-safe [anyway]" so it's not > reasonable to claim a Python bug is a vulnerability. The original > post didn't depend on ctypes or anything like that; it claimed there > *might* be vulnerabilities in CPython's C code. If so, my claim is > that they would indeed be security-relevant, regardless of what users > with access to Python source might or might not be doing. >
That's entirely possible, but I eyeballed a number of the examples cited, and they weren't (you can't use an HTTP request to trigger test code, as far as I know). For any of these to be viable issues, they would have to be triggered somehow, and in many cases, it's far from obvious how you might do that. The problem is that this is a single monster report with a huge number of uninteresting concerns (the "value written to but never read" ones), interspersed with a number of complaints which aren't actually issues (like calling Py_CLEAR with a potentially null pointer, which is perfectly safe). It's hard to know whether there are any real issues, without spending a lot of time weeding through the nonissues. ChrisA _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/A5627EPSYKIM7JVD67GXT42SYFFWZX47/ Code of Conduct: http://python.org/psf/codeofconduct/