.. _pickle-load-dos:

pickle.load denial of service
=============================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2018-20406>`_.

A bug in ``pickle.load()`` function can cause memory exhaustion denial of
service.

Dates:

* Disclosure date: **2018-09-13** (Python issue bpo-34656 reported)

Fixed In
--------

* Python **3.4.10** (2019-03-18) fixed by `commit 4b42d57 (branch 3.4) <https://github.com/python/cpython/commit/4b42d575bf0fb01192b3ec54b7e224b238691527>`_ (2019-02-25)
* Python **3.5.7** (2019-03-18) fixed by `commit ef33dd6 (branch 3.5) <https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c>`_ (2019-02-26)
* Python **3.6.7** (2018-10-20) fixed by `commit 71a9c65 (branch 3.6) <https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc>`_ (2018-09-21)
* Python **3.7.1** (2018-10-20) fixed by `commit ef4306b (branch 3.7) <https://github.com/python/cpython/commit/ef4306b24c9034d6b37bb034e2ebe82e745d4b77>`_ (2018-09-21)
* Python **3.8.0** (2019-10-14) fixed by `commit a4ae828 (branch 3.8) <https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd>`_ (2018-09-21)

Python issue
------------

[CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393.

* Python issue: `bpo-34656 <https://bugs.python.org/issue34656>`_
* Creation date: 2018-09-13
* Reporter: shuoz

CVE-2018-20406
--------------

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

* CVE ID: `CVE-2018-20406 <https://nvd.nist.gov/vuln/detail/CVE-2018-20406/>`_
* Published: 2018-12-23
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2018-09-13** as reference:

* 2018-09-13: `Python issue bpo-34656 <https://bugs.python.org/issue34656>`_ reported by shuoz
* 2018-09-21 (**+8 days**): `commit 71a9c65 (branch 3.6) <https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc>`_
* 2018-09-21 (**+8 days**): `commit a4ae828 (branch 3.8) <https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd>`_
* 2018-09-21 (**+8 days**): `commit ef4306b (branch 3.7) <https://github.com/python/cpython/commit/ef4306b24c9034d6b37bb034e2ebe82e745d4b77>`_
* 2018-10-20 (**+37 days**): Python 3.6.7 released
* 2018-10-20 (**+37 days**): Python 3.7.1 released
* 2018-12-23 (**+101 days**): CVE-2018-20406 published
* 2019-02-25 (**+165 days**): `commit 4b42d57 (branch 3.4) <https://github.com/python/cpython/commit/4b42d575bf0fb01192b3ec54b7e224b238691527>`_
* 2019-02-26 (**+166 days**): `commit ef33dd6 (branch 3.5) <https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c>`_
* 2019-03-18 (**+186 days**): Python 3.4.10 released
* 2019-03-18 (**+186 days**): Python 3.5.7 released
* 2019-10-14: Python 3.8.0 released

Links
-----

* https://bugzilla.redhat.com/show_bug.cgi?id=1664511