Skip to content

gh-119342: Fix a potential denial of service in plistlib #119343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Dec 1, 2025
Merged

gh-119342: Fix a potential denial of service in plistlib #119343

merged 7 commits into from
Dec 1, 2025
+59 −14

Conversation

@serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented May 21, 2024
edited by bedevere-app bot
Loading

Reading a specially prepared small Plist file could cause OOM because file's read(n) preallocates a bytes object for reading the specified amount of data. Now plistlib reads large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file.

@serhiy-storchaka
pythongh-119342: Fix OOM vulnerability in plistlib
6969658 
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
@serhiy-storchaka serhiy-storchaka added type-security A security issue needs backport to 3.8 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels May 21, 2024
@bedevere-app bedevere-app bot mentioned this pull request May 21, 2024
Open
picnixz
picnixz reviewed May 22, 2024
View reviewed changes
serhiy-storchaka and others added 2 commits May 22, 2024 16:00
@serhiy-storchaka @picnixz
Apply suggestions from code review
efcb8c5 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@serhiy-storchaka
Use a named constant.
412032b
@gpshead gpshead marked this pull request as draft May 24, 2024 19:58
@gpshead
Copy link
Member

gpshead commented May 24, 2024

I've marked this Draft for now as discussion on this on the security response team list is not complete. (we'll summarize that in a public issue once it has settled)

@gpshead gpshead mentioned this pull request Jan 20, 2025
Merged
@encukou
Copy link
Member

encukou commented Jan 27, 2025

See #119514 (comment) for results of the PSRT discussion.

@serhiy-storchaka serhiy-storchaka added the needs backport to 3.14 bugs and security fixes label May 8, 2025
@serhiy-storchaka serhiy-storchaka changed the title gh-119342: Fix OOM vulnerability in plistlib gh-119342: Fix a potential denial of service in plistlib Nov 18, 2025
@serhiy-storchaka serhiy-storchaka marked this pull request as ready for review November 18, 2025 13:41
@serhiy-storchaka serhiy-storchaka merged commit 694922c into python:main Dec 1, 2025
46 checks passed
@serhiy-storchaka serhiy-storchaka deleted the plistlib-oom branch December 1, 2025 15:28
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 1, 2025

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Dec 1, 2025
@serhiy-storchaka @miss-islington
pythongh-119342: Fix a potential denial of service in plistlib (pytho…
fc8192b 
…nGH-119343)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Dec 1, 2025
@serhiy-storchaka @miss-islington
pythongh-119342: Fix a potential denial of service in plistlib (pytho…
c02c7df 
…nGH-119343)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 1, 2025

GH-142143 is a backport of this pull request to the 3.14 branch.

@miss-islington-app
Copy link

miss-islington-app bot commented Dec 1, 2025

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.12

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Dec 1, 2025
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 1, 2025

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.11

@bedevere-app
Copy link

bedevere-app bot commented Dec 1, 2025

GH-142144 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Dec 1, 2025
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 1, 2025

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.10

serhiy-storchaka added a commit that referenced this pull request Dec 1, 2025
@miss-islington @serhiy-storchaka
[3.13] gh-119342: Fix a potential denial of service in plistlib (GH-1…
71fa8eb 
…19343) (GH-142144)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this pull request Dec 1, 2025
@serhiy-storchaka
[3.12] pythongh-119342: Fix a potential denial of service in plistlib (
fa6d8d0 
…pythonGH-119343)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
serhiy-storchaka added a commit that referenced this pull request Dec 1, 2025
@miss-islington @serhiy-storchaka
[3.14] gh-119342: Fix a potential denial of service in plistlib (GH-1…
b64441e 
…19343) (GH-142143)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 1, 2025

GH-142149 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Dec 1, 2025
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this pull request Dec 1, 2025
@serhiy-storchaka
[3.11] pythongh-119342: Fix a potential denial of service in plistlib (
aa9edbb 
…pythonGH-119343)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 1, 2025

GH-142150 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Dec 1, 2025
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this pull request Dec 1, 2025
@serhiy-storchaka
[3.10] pythongh-119342: Fix a potential denial of service in plistlib (
e99059d 
…pythonGH-119343)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 1, 2025

GH-142151 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Dec 1, 2025
@bedevere-bot
Copy link

bedevere-bot commented Dec 1, 2025

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Debian root 3.14 (tier-1) has failed when building commit b64441e.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1742/builds/727) and take a look at the build logs.
  4. Check if the failure is related to this commit (b64441e) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1742/builds/727

Summary of the results of the build (if available):

==

Click to see traceback logs 
Traceback (most recent call last):
  File "/root/buildarea/3.14.angelico-debian-amd64/build/Lib/test/support/__init__.py", line 847, in gc_collect
    gc.collect()
ResourceWarning: unclosed file <_io.FileIO name=13 mode='wb' closefd=True>


Traceback (most recent call last):
  File "/root/buildarea/3.14.angelico-debian-amd64/build/Lib/test/support/__init__.py", line 847, in gc_collect
    gc.collect()
ResourceWarning: unclosed file <_io.FileIO name=11 mode='wb' closefd=True>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz left review comments

@gpshead gpshead gpshead approved these changes

@ronaldoussoren ronaldoussoren Awaiting requested review from ronaldoussoren

Assignees

@serhiy-storchaka serhiy-storchaka

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@serhiy-storchaka @gpshead @encukou @bedevere-bot @picnixz @ambv @hugovk