-
Notifications
You must be signed in to change notification settings - Fork 537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade libuv to v1.48.0 #600
base: master
Are you sure you want to change the base?
Conversation
I think the pipeline should be able to pass as it did in the PR in my fork repo. Could someone please trigger a retry? |
yeah that error in CI looks like an old flake |
I did some investigating about that venerability. I checked if I could reproduce the ‘truncate after 256 bytes’ venerability. I cannot exploit it if I pass hostname as a string, due to this idna encoding line; uvloop accidentally protects you from the libuv venerability:
This is a similar error that socket gives:
However, if I pass the hostname as bytes, I can bypass the accidental uvloop protection and exploit libuv:
socket, however, isn’t fooled:
I didn’t know about this
I can’t find any documentation about why that’s considered a valid hostname. It’s obviously a hex encoding of a 4-byte ipv4 address, but, I’ve never seen it written that way Anyway, maybe you can turn my investigation into a unit test for the security venerability |
regarding the idna encoding error, there's some discussion of whether that error should be handled a different way in the python standard library or not. Just for reference: python/cpython#77139 |
Upgrades libuv to v1.48.0 which fixes a security vulnerability.
I removed two DNS test cases because they raise an error intended by libuv.