projects / python3.9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f62aef0) | patch
[3.13] gh-119342: Fix a potential denial of service in plistlib (GH-119343) (GH-142144)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Mon, 1 Dec 2025 15:50:28 +0000 (16:50 +0100)
committerArnaud Rebillout <arnaudr@debian.org>
Tue, 14 Apr 2026 04:38:32 +0000 (11:38 +0700)
commitdfdbcddc61d1d316d3539b3669dfb73c0f305b92
treed0b95e204492e1e3c1b37a55092dfbc1ce1b03cdtree | snapshot
parentf62aef0f11675d0bc51bed8876c43019ea62f7becommit | diff
[3.13] gh-119342: Fix a potential denial of service in plistlib (GH-119343) (GH-142144)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: backport, https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba

Gbp-Pq: Name CVE-2025-13837.patch
Lib/plistlib.py diff | blob | history
Lib/test/test_plistlib.py diff | blob | history
Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.