CPython bugs & risky features

Room:: The Auditorium
Start (Dublin time):: 12:10 on 13 July 2022
Start (your time):: 07:10 on 13 July 2022
Duration:: 45 minutes

Abstract

In this talk we will look into a few bug cases or doubtful features in CPython some of which are still present (and known to bugs.python.org) and may impose a security risk for admins or organizations.

Talk~None of the above

Description

We will learn why running Python interpreter in random directory can be harmful which is related to interpreter libs loading, a possibility for installed modules to inject code into any Python script execution (even if the installed library is not imported), a socket.inet_aton issue that actually comes from glibc and risks involved with those cases and possible mitigations of those risks.

@EDIT After talk:

Watch the talk on https://youtu.be/tRtxCCRdZOs?t=12251
Slides are available on https://ujeb.se/pybugs

The speaker

disconnect3d

Disconnect3d is a security engineer at Trail of Bits where he hunt for security bugs in different kinds of software using both manual code analysis and various tools like static analyzers, fuzzers and others. He specializes in low level aspects and likes to understand how things works under the hood. On his free time, Disconnect3d plays CTF security competitions with justCatTheFish team and plays DoTA2 moba game.