Unbounded Resource Exhaustion Vulnerability in `Tools/freeze/checkextensions.py`

[kexinoh]

Bug Description:
The code will re-scan the newly generated content after replacing the variable. If a variable is defined to contain itself (i.e., a recursive definition), this process will fall into infinite recursion.

This recursion can lead to two forms of attacks: one is to cause an infinite loop and deplete CPU resources, and the other is to cause the string to grow infinitely and deplete memory resources. The final result will all lead to the application crashing or being unresponsive.

Vulnerability Locations :
1.

cpython/Tools/freeze/checkextensions.py

Line 72 in e64395e

def expandvars(str, vars):

Repair Status:
None

Common Information:

• CPython Version: main branch
• Operating System: Linux
• Credits: Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.

[picnixz]

Ok, it actually affects freeze.py so I think we can backport it until 3.9. However, I haven't checked if this is a realistic attack

[StanFromIreland]

Out of curiosity, is freeze.py still maintained? The last update was 2 years ago and for this specific file 16.

[sobolevn]

Is it really a security issue? Tools/freeze is an internal tool, which is used when CPython is built. If someone can affect the building process - you have much bigger problems.

I still think that this should be fixed, just doubting that this is a security issue.

[picnixz]

Although it's internal, it's still somehow documented: https://docs.python.org/3/faq/programming.html#how-can-i-create-a-stand-alone-binary-from-a-python-script. But I agree that it can be hard to exploit. I'm more worried about "mistakes" that can lead to issues.