Skip to content

/cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) #4664

Merged
merged 1 commit into from Dec 8, 2017
Merged

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) #4664

merged 1 commit into from Dec 8, 2017

Conversation

@hroncok
Copy link
Contributor

hroncok commented Dec 1, 2017
edited

Fixes possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
Original patch by Jay Bosamiya @jaybosamiya in #2174

https://bugs.python.org/issue30657
@hroncok

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

hroncok commented Dec 1, 2017

@jaybosamiya I can make you the author of that commit if you'd like, but since it's against a different file, I didn't just cherry-picked it, so I wasn't sure.
@hroncok hroncok changed the title [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) Dec 1, 2017
@jaybosamiya

This comment has been minimized.

Sign in to view
Copy link

jaybosamiya commented Dec 1, 2017

I'm not sure of the convention for cpython when bringing a patch from one version to another, but I'm fine with it either ways. Feel free to keep/change as you see fit :)
@hroncok

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

hroncok commented Dec 1, 2017

OK, let's wait what the reviewer says.
@vstinner
vstinner reviewed Dec 4, 2017
View changes
Copy link
Member

vstinner left a comment

Would you mind to rewrite your commit message to mention the original author as the following syntax?

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
@vstinner
vstinner reviewed Dec 4, 2017
View changes
Copy link
Member

vstinner left a comment

The change itself LGTM.
@hroncok @jaybosamiya
bpo-30657: Fix CVE-2017-1000158
Loading status checks…
4ac2528 
Fixes possible integer overflow in PyBytes_DecodeEscape.

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
@hroncok hroncok force-pushed the hroncok:fix-issue-30657 branch from 1981dca to 4ac2528 Dec 4, 2017
@hroncok

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

hroncok commented Dec 4, 2017

Commit message changed as requested.
@vstinner
vstinner approved these changes Dec 4, 2017
View changes
Copy link
Member

vstinner left a comment

LGTM.
@vstinner

This comment has been minimized.

Sign in to view
Copy link
Member

vstinner commented Dec 4, 2017

@larryhastings: Would you mind to merge this PR?
@hroncok

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

hroncok commented Dec 8, 2017

For 3.4: #4758
@larryhastings larryhastings merged commit fd8614c into python:3.5 Dec 8, 2017
4 checks passed
4 checks passed
bedevere/issue-number Issue number 30657 found
Details
bedevere/news News entry found in Misc/NEWS.d
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@hroncok hroncok deleted the hroncok:fix-issue-30657 branch Dec 8, 2017
@hroncok

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

hroncok commented Dec 8, 2017

Thanks @vstinner @larryhastings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner

Assignees
No one assigned
Labels
CLA signed type-bugfix
Projects
None yet
Milestone
No milestone
6 participants
@hroncok @jaybosamiya @vstinner @larryhastings @the-knights-who-say-ni @bedevere-bot
You can’t perform that action at this time.