[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

* John Goerzen:

> Regarding the python2.6 one you were saying wasn't a big deal -- there's
> a proof of concept exploit for it
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
> .  Why would the tracker say that such a thing wasn't important enough
> to fix?

You need an application which uses recvfrom_into (I don't think we
ship any), and that application must handle the buffer size
incorrectly (i.e., it would generate an exception with the fixed
Python version).  This is why it's not so critical after all.

Reply to: