Skip to content

[3.12] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944)#134337

Merged
Yhg1s merged 1 commit into
python:3.12from
serhiy-storchaka:backport-6279eb8-3.12
May 26, 2025
Merged

[3.12] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944)#134337
Yhg1s merged 1 commit into
python:3.12from
serhiy-storchaka:backport-6279eb8-3.12

Conversation

@serhiy-storchaka

@serhiy-storchaka serhiy-storchaka commented May 20, 2025

Copy link
Copy Markdown
Member

If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().

_PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58) (cherry picked from commit 6279eb8)

…der with an error handler (pythonGH-129648) (pythonGH-133944)

If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().

_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58)
(cherry picked from commit 6279eb8)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@serhiy-storchaka serhiy-storchaka marked this pull request as draft May 20, 2025 14:51
@serhiy-storchaka serhiy-storchaka marked this pull request as ready for review May 20, 2025 14:54
@Yhg1s Yhg1s merged commit 4398b78 into python:3.12 May 26, 2025
32 checks passed
freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this pull request May 27, 2025
nanorkyo pushed a commit to nanorkyo/freebsd-ports that referenced this pull request May 29, 2025
dakaneye pushed a commit to wolfi-dev/os that referenced this pull request May 29, 2025
## Summary
Fix use-after-free vulnerability in the unicode-escape decoder with
non-strict error handlers.

## Details
- **CVE**: CVE-2025-4516
- **Severity**: Medium
- **Issue**: Use-after-free crash when using
`bytes.decode("unicode_escape", error="ignore|replace")`

## Changes
- Add CVE-2025-4516.patch from upstream merged PRs
- Python 3.12: [PR
#134337](python/cpython#134337)
- Python 3.13: [PR
#133944](python/cpython#133944)
- Increment epoch to 2 for both packages

## Status
- ✅ Python 3.12: Upstream patch merged and applied
- ✅ Python 3.13: Upstream patch merged and applied
- ⏳ Python 3.9, 3.10, 3.11: Waiting for upstream PRs to be merged

## Testing
CI will validate that:
- Patches apply cleanly
- Packages build successfully
- Tests pass

## References
- [CVE-2025-4516
Details](https://www.cve.org/CVERecord?id=CVE-2025-4516)
- [Security
Advisory](https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/)
- Related to: chainguard-dev/internal-dev#12589
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jun 10, 2025
Pull request: python/cpython#134337
Commit: python/cpython@a75953b
Branch history: https://github.com/python/cpython/commits/3.12/

Commit is included in the 3.12.11 release per 3.12 branch history
msk pushed a commit to msk/pkgsrc that referenced this pull request May 11, 2026
Pull request: python/cpython#134337
Commit: python/cpython@a75953b
Branch history: https://github.com/python/cpython/commits/3.12/

Commit is included in the 3.12.11 release per 3.12 branch history
jperkin pushed a commit to TritonDataCenter/pkgsrc that referenced this pull request May 14, 2026
Pull request: python/cpython#134337
Commit: python/cpython@a75953b
Branch history: https://github.com/python/cpython/commits/3.12/

Commit is included in the 3.12.11 release per 3.12 branch history
@serhiy-storchaka serhiy-storchaka deleted the backport-6279eb8-3.12 branch July 1, 2026 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-security A security issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants