[pybsddb] Data leak in latest bsddb3/berkeleydb packages
Jacob Henner
JacobHenner at outlook.com
Wed May 14 14:02:12 CEST 2025
No, I've not created a CVE previously, but I would be glad to help in whatever way I can.
Should we discuss the details off-list?
Regards,
Jacob Henner
________________________________
From: pybsddb <pybsddb-bounces at jcea.es> on behalf of Jesus Cea <jcea at jcea.es>
Sent: Wednesday, May 14, 2025 7:31 AM
To: pybsddb at jcea.es <pybsddb at jcea.es>
Subject: Re: [pybsddb] Data leak in latest bsddb3/berkeleydb packages
On 14/5/25 3:49, Jacob Henner wrote:
> Here is a simple reproducer:
> https://gist.github.com/JacobHenner/8af2eeb7bfa29475aa203abcd526dccc
>
> The reproducer successfully reproduces the issue on Arch Linux amd64
> with libdb 6.2.32 or libdb 5.3.28 and Python 3.12.10.
>
> Interestingly, the code segfaults with Python 3.13.3. I will create a
> separate thread for that issue.
I am talking (or trying) with Oracle about this issue. It is serious.
Do you have experience creating a CVE?
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jcea at jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jcea.es/pipermail/pybsddb/attachments/20250514/0ae166e2/attachment.htm>
More information about the pybsddb
mailing list