CVE-2018-20406
Description
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
60(expand)+ 2 more
- (no CPE)
- (no CPE)range: <3.7.1
- (no CPE)range: <3.7.1
- osv-coords57 versionspkg:rpm/opensuse/python36&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python3-base&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/python3-base&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/python3&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/python3&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/python3-base&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/python3-base&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python3&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/python3&distro=SUSE%20OpenStack%20Cloud%207
< 3.6.15-1.1+ 56 more
- (no CPE)range: < 3.6.15-1.1
- (no CPE)range: < 3.6.5-lp150.2.6.1
- (no CPE)range: < 3.6.10-lp151.6.7.1
- (no CPE)range: < 3.6.5-lp150.2.6.1
- (no CPE)range: < 3.6.10-lp151.6.7.1
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.6.5-3.8.1
- (no CPE)range: < 3.6.10-3.42.2
- (no CPE)range: < 3.6.5-3.8.1
- (no CPE)range: < 3.6.10-3.42.2
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.6.5-3.8.1
- (no CPE)range: < 3.6.10-3.42.2
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
- (no CPE)range: < 3.4.6-25.21.1
Patches
Vulnerability mechanics
References
15- lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlmitrevendor-advisoryx_refsource_SUSE
- access.redhat.com/errata/RHSA-2019:3725mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4127-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4127-2/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.python.org/issue34656mitrex_refsource_MISC
- github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26ddmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/02/msg00011.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/07/msg00011.htmlmitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20190416-0010/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.