Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-96577: Fixes buffer overrun in _msi module #96633

Merged
merged 1 commit into from
Sep 7, 2022
Merged

gh-96577: Fixes buffer overrun in _msi module #96633

merged 1 commit into from
Sep 7, 2022

Conversation

zooba
Copy link
Member

@zooba zooba commented Sep 6, 2022
edited by bedevere-bot

@zooba zooba added type-security A security issue needs backport to 3.7 needs backport to 3.8 only security fixes needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Sep 6, 2022
@zooba zooba requested a review from a team as a code owner September 6, 2022 23:15
vstinner
vstinner approved these changes Sep 7, 2022
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

MsiFormatRecordA:

Pointer to the variable that specifies the size, in TCHARs, of the buffer pointed to by the variable szResultBuf.

MsiRecordGetStringW

Pointer to the variable that specifies the size, in TCHARs, of the buffer pointed to by the variable szValueBuf.

Misc/NEWS.d/next/Windows/2022-09-07-00-11-33.gh-issue-96577.kV4K_1.rst
@@ -0,0 +1 @@
Fixes a potential buffer overrun in :mod:`msilib`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may move this to the security category, but I'm fine with the Windows category.

@zooba zooba merged commit 4114bcc into python:main Sep 7, 2022
@miss-islington
Copy link
Contributor

Thanks @zooba for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

@zooba zooba deleted the gh-96577 branch September 7, 2022 17:01
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
d4f4fe9 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-bot bedevere-bot removed the needs backport to 3.11 only security fixes label Sep 7, 2022
@bedevere-bot
Copy link

GH-96655 is a backport of this pull request to the 3.11 branch.

@bedevere-bot
Copy link

GH-96656 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Sep 7, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
6fb0be8 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Sep 7, 2022
@bedevere-bot
Copy link

GH-96657 is a backport of this pull request to the 3.9 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
9dfb50b 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
@bedevere-bot
Copy link

GH-96658 is a backport of this pull request to the 3.8 branch.

@bedevere-bot
Copy link

GH-96659 is a backport of this pull request to the 3.7 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
48c6e59 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
miss-islington added a commit that referenced this pull request Sep 7, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
9fa21d0 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
miss-islington added a commit that referenced this pull request Sep 7, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
e561161 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
ned-deily pushed a commit that referenced this pull request Sep 13, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96659)
8fc2635 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
ambv pushed a commit that referenced this pull request Oct 4, 2022
@miss-islington @zooba
[3.9] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96657
938223e 
)

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
ambv pushed a commit that referenced this pull request Oct 4, 2022
@miss-islington @zooba
[3.8] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96658
12c72d6 
)

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zooba @miss-islington @bedevere-bot @vstinner