Python plistlib Module Out-of-Memory Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Python plistlib module, specifically in versions 3.10, 3.11, 3.12, 3.13, and 3.14. When the module loads a plist file, it reads data based on the size specified by the file, which can be up to 2^64 bytes. This behavior allows a maliciously crafted plist file to cause excessive memory allocation, leading to out-of-memory conditions and potential process or system crashes.

Impact

Exploitation of this vulnerability can cause out-of-memory conditions, leading to killed processes or containers, or even system crashes.

Reproduction

The vulnerability can be reproduced by using the plistlib module to load a binary plist file that has been crafted to include a large amount of data. This can be done by writing a plist file that specifies a size larger than what can be handled, such as 2**64 bytes, and then using the plistlib.load() function to read the file. The issue can also be reproduced by using the 'test_truncated_large_data' test case added in the patch, which simulates the same condition by writing a file that triggers the out-of-memory behavior.

Remediation

Users can update to Python versions 3.10.13, 3.11.13, 3.12.6, 3.13.5, or 3.14.5, where this vulnerability has been fixed.