Python Software Foundation (PSF) released Python versions 3.9.2 and 3.8.8 to address two major security vulnerabilities, including an RCE error.
PSF urges Python users to upgrade their systems to Python 3.8.8 or 3.9.2, in particular to address the Remote Code Execution (RCE) vulnerability referred to as CVE-2021-3177.
The company accelerated their circulation after receiving unexpected pressure from some users who were worried about the security flaw.
"Since the announcement of the release candidates of versions 3.9.2 and 3.8.8, we have received a series of surveys from end users that us urge to speed up final releases due to security content, especially CVE-2021-3177 ″, said Python.
Python 3.x to 3.9.1 has a buffer overflow in PyCArg_repr on ctypes / callproc.c, which can lead to remote code execution.
Affects Python applications that "accept floating-point numbers as unreliable input, as shown by argument 1e300 in c_double.from_param."
Various Linux distributions, such as Debian, have supported security patches to ensure that embedded versions of Python are protected.
Vulnerability is a common memory defect. According to RedHat, one buffer overflow (based on stack) in the Python cyypes unit incorrectly validated the input, "which would allow an attacker to overflow a buffer on the stack and destroy application. "
While the RCE vulnerability is actually very negative, RedHat notes that “the biggest threat from this vulnerability is system availability. ” In other words, an attacker would probably be able to make a denial of service attack.
Source of information: zdnet.com