Python plistlib DoS via CPU/RAM exhaustion from malformed binary Plist

Critical Vulnerability Information Title: [security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format Type: resource usage Stage: resolved Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6 Status: closed Resolution: fixed Priority: release blocker Keywords: patch, security_issue Summary: In Python versions from 3.4 to 3.10, the library could be forced to generate an argument for that consumes all available CPU and memory due to malformed input. The vulnerability stemmed from malformed binary plist files, which could trigger a Denial of Service (DoS) attack by exhausting CPU and RAM resources. The issue was resolved by limiting the number of values read by and adding validation for string size. Pull Requests: PR 22882: Fixes issue in , adds string size validation, and includes extensive tests for malformed binary Plists. PR 23115, PR 23116, PR 23117, PR 23118: Merged to address related issues. Messages: msg379175: Initial report by Robert Wessen. msg379238, msg379243: Ronald Oussoren confirmed the issue and proposed a fix. msg379255, msg379283, msg379285, msg379286: Serhiy Storchaka provided insights and contributed to the PRs addressing the issues. msg380703, msg380704: Ned Deily merged the PRs into the respective Python branches.

Goal Reached Thanks to every supporter — we hit 100%!

Python plistlib DoS via CPU/RAM exhaustion from malformed binary Plist