关键漏洞信息 Title: [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format Type: resource usage Stage: resolved Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6 Status: closed Resolution: fixed Priority: release blocker Keywords: patch, security_issue Summary: In versions of Python from 3.4 to 3.10, the library can be forced to create an argument to that consumes all CPU and memory due to malformed input. The issue was caused by malformed binary plist files, which could lead to a DoS attack by exhausting CPU and RAM resources. The vulnerability was fixed by limiting the number of values read by and adding validation for string size. Pull Requests: PR 22882: Fixes problem in , adds validation for string size, and adds many tests for malformed binary Plists. PR 23115, PR 23116, PR 23117, PR 23118: Merged to address related issues. Messages: msg379175: Initial report by Robert Wessen. msg379238, msg379243: Ronald Oussoren confirmed the issue and suggested a fix. msg379255, msg379283, msg379285, msg379286: Serhiy Storchaka provided insights and worked on the PRs to address the issues. msg380703, msg380704: Ned Deily merged the PRs into the respective Python branches.