-
-
Notifications
You must be signed in to change notification settings - Fork 32.4k
Closed as not planned
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)pendingThe issue will be closed if no feedback is providedThe issue will be closed if no feedback is providedtype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or error
Description
Bug report
Bug description:
Discovered a buffer overflow vulnerability in the _Py_wreadlink
function in Python's core codebase. This function, which reads the value of a symbolic link, fails to properly null-terminate the output buffer in certain edge cases, potentially leading to buffer overruns.
The function uses wcsncpy
to copy a wide character string but doesn't guarantee null-termination:
wcsncpy(buf, wbuf, buflen);
Reproduction
The issue can be reproduced in any scenario where _Py_wreadlink
is called with a symbolic link whose content length is exactly one less than the provided buffer size.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
Metadata
Metadata
Assignees
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)pendingThe issue will be closed if no feedback is providedThe issue will be closed if no feedback is providedtype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or error