CPython bugs & risky features
2022-07-13 , The Auditorium

In this talk we will look into a few bug cases or doubtful features in CPython some of which are still present (and known to bugs.python.org) and may impose a security risk for admins or organizations.


In this talk we will look into a few bug cases or doubtful features in CPython some of which are still present (and known to bugs.python.org) and may impose a security risk for admins or organizations.

We will learn why running Python interpreter in random directory can be harmful which is related to interpreter libs loading, a possibility for installed modules to inject code into any Python script execution (even if the installed library is not imported), a socket.inet_aton issue that actually comes from glibc and risks involved with those cases and possible mitigations of those risks.

@EDIT After talk:
- Watch the talk on https://youtu.be/tRtxCCRdZOs?t=12251
- Slides are available on https://ujeb.se/pybugs


Expected audience expertise: Domain:

none

Expected audience expertise: Python:

some

Abstract as a tweet:

In this talk you can learn about some security risks comming from known(!) CPython bugs or doubtful features

Disconnect3d is a security engineer at Trail of Bits where he hunt for security bugs in different kinds of software using both manual code analysis and various tools like static analyzers, fuzzers and others. He specializes in low level aspects and likes to understand how things works under the hood. On his free time, Disconnect3d plays CTF security competitions with justCatTheFish team and plays DoTA2 moba game.