11 Sep 19:01
python pickle module vuln
From: Ademar de Souza Reis Jr. <ademar@...>
Subject: python pickle module vuln
Newsgroups: gmane.comp.misc.xvendor
Date: 2002-09-11 17:06:06 GMT
Subject: python pickle module vuln
Newsgroups: gmane.comp.misc.xvendor
Date: 2002-09-11 17:06:06 GMT
Hello. Anyone is working on or have any new information about that vulnerability, sent to bugtraq list two months ago? I'm preparing the release of a fix for the python execvpe vuln and I would like to address this one also. Thanks in advance. - Ademar ----- Forwarded message from Jeff Epler <jepler@...> ----- Date: Wed, 17 Jul 2002 07:45:17 -0500 From: Jeff Epler <jepler@...> Subject: Exploit for a security hole in the pickle module for Python versions <= 2.1.x To: bugtraq@... """ Exploit for a security hole in the pickle module for Python versions <= 2.1.x Pickle is the name of a Python module for object persistence. It can convert arbitrary Python objects into byte streams and back. Though the documentation for Python 1.5.2 read The pickle module doesn't handle code objects, which the marshal module does. I suppose pickle could, and maybe it should, but there's probably no great need for it right now (as long as marshal continues to be used for reading and writing code objects), and at least this avoids the possibility of smuggling Trojan horses into a program. it was always generally considered that a carefully-crafted "pickle" could(Continue reading)
RSS Feed