News

Python developers release patch for ‘innocent’ remote code execution

By admin
Spread the love

The developers behind Python have released an update for the programming language, because it contained several vulnerabilities. One of the vulnerabilities allowed remote code execution.

The Python Software Foundation recommends that developers upgrade to version 3.8.8 or 3.9.2. In those versions, two bugs are fixed. The first of these is CVE-2021-23336. That is a web cache bug that allows attackers to change the separator. The other bug is more serious, as it involves possible remote code execution.

That second bug is CVE-2021-3177. According to the developers, many questions came from users about this, while they said that it surprised them. They say it’s probably because the term ‘remote code execution’ conjures up fears. However, according to the developers, CVE-2021-3177 is difficult to exploit in practice and can do little damage in applications. Several conditions must be met on the system. Moreover, an attacker can’t do much after exploiting; at most it is possible to cause a buffer overflow and cause a system to crash.

The problem is in PyCArg_repr, where sprintf can be addressed. Since Python is included by default on many Linux and Windows versions, the impact is potentially widespread. Several manufacturers have now implemented patches that fix the bug, but developers should also implement the patch themselves.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Logitech acquires stream controller maker Loupedeck

News

Anticheat FaceIT gets Linux version, enables Steam Deck support