[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-10 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-10 Thread Ned Deily 


Ned Deily  added the comment:


New changeset a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 by Serhiy Storchaka in 
branch '3.6':
[3.6] bpo-42103: Improve validation of Plist files. (GH-22882) (GH-23118)
https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d43b2b4


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-10 Thread Ned Deily 


Ned Deily  added the comment:


New changeset 225e3659556616ad70186e7efc02baeebfeb5ec4 by Serhiy Storchaka in 
branch '3.7':
[3.7] bpo-42103: Improve validation of Plist files. (GH-22882) (#23117)
https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
nosy: +lukasz.langa
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:


New changeset 547d2bcc55e348043b2f338027c1acd9549ada76 by Serhiy Storchaka in 
branch '3.8':
[3.8] bpo-42103: Improve validation of Plist files. (GH-22882) (GH-23116)
https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd9549ada76


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
pull_requests: +22035
pull_request: https://github.com/python/cpython/pull/23118

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread miss-islington 


miss-islington  added the comment:


New changeset e277cb76989958fdbc092bf0b2cb55c43e86610a by Miss Skeleton (bot) 
in branch '3.9':
bpo-42103: Improve validation of Plist files. (GH-22882)
https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e86610a


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
pull_requests: +22034
pull_request: https://github.com/python/cpython/pull/23117

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
pull_requests: +22033
pull_request: https://github.com/python/cpython/pull/23116

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread miss-islington 


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 4.0 -> 5.0
pull_requests: +22032
pull_request: https://github.com/python/cpython/pull/23115

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-11-02 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:


New changeset 34637a0ce21e7261b952fbd9d006474cc29b681f by Serhiy Storchaka in 
branch 'master':
bpo-42103: Improve validation of Plist files. (GH-22882)
https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-22 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

No, with recursive collections all is good.

Then I'll just add a NEWS entry and maybe few more tests.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-22 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

PR 22882 fixes problem in _read_ints(), adds validation for string size, and 
adds many tests for mailformed binary Plists.

There may be problems with recursive collections. I'll try to solve them too.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-22 Thread Ronald Oussoren 


Ronald Oussoren  added the comment:

Serhiy, thanks. Just the change in the format string would fix this particular 
example.

I see you're working on a PR with better validation. The current state of the 
draft looks good to me, but I haven't checked yet if there are other potential 
problems that can be added to the list of invalid binary plists.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-22 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
keywords: +patch
pull_requests: +21822
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/22882

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-21 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

There are two issues here.

The simple one is building a large format string for struct.unpack(). It has 
simple solution: use f'>{n}{_BINARY_FORMAT[size]}'.

The hard issue is that read(n) allocates n bytes in memory even if there are 
not so many bytes in the file. It affects not only plistlib and should be fixed 
in the file implementation itself. There is an open issue for this.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-21 Thread Ronald Oussoren 


Ronald Oussoren  added the comment:

One Apple implementation of binary plist parsing is here: 
https://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c.

That seems to work from a buffer (or mmap) of the entire file, making 
consistency checks somewhat easier, and I don't think they have a hardcoded 
limit on the number of items in the plist (but: it's getting late and might 
have missed that).

An easy fix for this issue is to limit the amount of values read by _read_ints, 
but that immediately begs the question what that limit should be. It is clear 
that 1B items in the array is too much (in this case 1B object refs for 
dictionary keys). 

I don't know what a sane limit would be. The largest plist file on my system is 
10MB. Limiting *n* to 20M would be easily enough to parse that file, and 
doesn't consume too much memory (about 160MB for the read buffer at most). 

Another thing the current code doesn't do is check that the "ref" argument to 
_read_object is in range. That's less problematic because the code will raise 
an exception regardless (IndexErrox, instead of the nicer InvalidFileException).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-21 Thread Ronald Oussoren 


Ronald Oussoren  added the comment:

Thanks for the report. I can reproduce the issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42103] [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

2020-10-20 Thread Ned Deily 


Change by Ned Deily :


--
components: +Library (Lib) -Interpreter Core
keywords: +security_issue
nosy: +ned.deily, ronaldoussoren, serhiy.storchaka
title: DoS (MemError via CPU and RAM exhaustion) when processing malformed 
Apple Property List files in binary format -> [security] DoS (MemError via CPU 
and RAM exhaustion) when processing malformed Apple Property List files in 
binary format

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com