GHSA-pph8-gcv7-4qj5

Опубликовано: 02 апр. 2025

Источник: github

Github: Прошло ревью

CVSS4: 2.9

Описание

PyO3 Risk of buffer overflow in PyString::from_object

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Ссылки

https://github.com/PyO3/pyo3/issues/5005
https://github.com/PyO3/pyo3/pull/5008
https://rustsec.org/advisories/RUSTSEC-2025-0020.html

Пакеты

Наименование

pyo3

rust

Затронутые версииВерсия исправления

>= 0.1.0, < 0.24.1

0.24.1

2.9 Low

CVSS4

Дефекты

CWE-125

2.9 Low

CVSS4

Дефекты

CWE-125