Guido Vranken added the comment:
I used fuzzing to find this bug. After applying your patch, the infinite loop
is gone and it cannot find any other bugs of this nature.
--
___
Python tracker
<https://bugs.python.org/issue37
Guido Vranken added the comment:
Hi,
I've built a generic Python fuzzer and submitted it to OSS-Fuzz.
It works by implementing a "def FuzzerRunOne(FuzzerInput):" function in Python
in which some arbitrary code is run based on FuzzerInput, which is a bytes
object.
This is a
New submission from Guido Vranken :
The following will hang, and consume a large amount of memory:
from email.parser import BytesParser, Parser
from email.policy import default
payload = "".join(chr(c) for c in [0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
0x2d, 0x54, 0x79, 0x70,
New submission from Guido Vranken:
The vulnerability described here is exceedingly difficult to exploit, since
there is no straight-forward way an "attacker" (someone who controls a Python
script contents but not other values such as system environment variables), can
control
New submission from Guido Vranken:
Tools/scripts/ftpmirror.py does not guard against arbitrary path constructions,
and, given a connection to a malicious FTP server (or a man in the middle
attack), it is possible that any file on the client's filesystem gets
overwritten. Ie,. if we su
Guido Vranken added the comment:
I'd also like to add that, although I agree with Guido van Rossum that the
likelihood of even triggering this bug in a general programming context is low,
there are two buffer overflows at play here (one stack-based and one
heap-based), and giv
Guido Vranken added the comment:
Serhiy Storchaka: good call on changing my 'n += (width + precision) < 20 ? 20
: (width + precision);' into 'if (width < precision) width = precision;', I
didn't realize that sprintf's space requirement entails using the l
New submission from Guido Vranken:
Proof of concept:
# Script for Python 2
import urllib2
opener = urllib2.build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0' + chr(0x0A) + "Location:
header injection")]
response = opener.open("http://localho
