Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

What an author likes to write most is his signature on the back of a cheque. -- Brendan Francis


rocksolid / Security / Python fu yeah

SubjectAuthor
* Python fu yeahAnonymous
+- NoneAnonymous
+- Re: Python fu yeahAnonymous
`- NoneAnonymous

1
Subject: Python fu yeah
From: Anonymous
Newsgroups: rocksolid.shared.security
Organization: def2
Date: Fri, 19 Feb 2021 06:10 UTC
Attachments: python.jpg (image/jpeg)
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: Python fu yeah
Date: Thu, 18 Feb 2021 22:10:42 -0800
Organization: def2
Message-ID: <opsec.779.3y1fsy@anon.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=288bcf7ef987c78e2e094201bcef1b37091268ce
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="16851"; mail-complaints-to="usenet@novabbs.org"
View all headers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

Description
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.


Really ? What can I use Python for, if it cannot parse numbers ?


Attachments: python.jpg 
Subject: None
From: Anonymous
Newsgroups: rocksolid.shared.security
Organization: rocksolid2 (novabbs.org)
Date: Fri, 19 Feb 2021 06:38 UTC
References: 1
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: None
Date: Thu, 18 Feb 2021 22:38:46 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <opsec.780.4deku4@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="26536"; mail-complaints-to="usenet@novabbs.org"
View all headers
cannot parse numbers
floating-point
its specifically floating-point
unless you have something using a math library like numpy or floating point numbers and its parsing it somehow externally (vary unlikely) you are probably fine for this specific cve
you dont use wsgi right

--
Posted on def2


Subject: Re: Python fu yeah
From: Anonymous
Newsgroups: rocksolid.shared.security
Organization: rocksolid2 (novabbs.org)
Date: Fri, 19 Feb 2021 11:52 UTC
References: 1
Path: i2pn2.org!rocksolid2!.POSTED.127.117.190.215!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: Re: Python fu yeah
Date: Fri, 19 Feb 2021 03:52:38 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <opsec.781.3hzr04@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def.i2p"; posting-host="127.117.190.215";
logging-data="28285"; mail-complaints-to="usenet@novabbs.org"
View all headers
f5727b40ce9136fcf4
you are probably fine
now that gives me a good, warm, fuzzy kind of feeling.

you dont use wsgi right
op does not use python at all, kind of biased here.

--
Posted on def2


Subject: None
From: Anonymous
Newsgroups: rocksolid.shared.security
Organization: def2
Date: Fri, 19 Feb 2021 17:43 UTC
References: 1
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: None
Date: Fri, 19 Feb 2021 09:43:52 -0800
Organization: def2
Message-ID: <opsec.783.1svmmj@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="17703"; mail-complaints-to="usenet@novabbs.org"
View all headers
30d96af8c6049e1c47
now that gives me a good, warm, fuzzy kind of feeling.
dont forget i said specific cve theres also blender which can be networked and does alot of floating-point calculations
you arent using blender for classical remote framebuffers on an open network are you im not even sure if blender supports that anymore
ive seen way worse than python and prefer to use pypy* if at all currently trashing my python oses anyway only a few utilities in python i really cant replace which will be easy to isolate if only they could run with a python interpreter and base libraries that are under 10megabytes
op does not use python at all, kind of biased here.
i have my doubts that op controls his dependencies most graphical gnuware will pull in rust now for svg its pretty funny

--
Posted on def2


1
rocksolid light 0.7.2
clearneti2ptor