report memory exposure in PyO3's PyString::from_object (#2266)

davidhewitt · web-flow · commit 7ca33d4f9107 · 2025-04-01T10:47:18.000+02:00
diff --git a/crates/pyo3/RUSTSEC-0000-0000.md b/crates/pyo3/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pyo3"
+date = "2025-04-01"
+url = "https://github.com/PyO3/pyo3/issues/5005"
+categories = ["memory-exposure"]
+keywords = ["buffer-overflow"]
+
+[affected]
+functions = { "pyo3::types::PyString::from_object" = ["< 0.24.1"], "pyo3::types::PyString::from_object_bound" = ["< 0.24.1", ">= 0.21.0"] }
+
+[versions]
+patched = [">= 0.24.1"]
+```
+
+# Risk of buffer overflow in `PyString::from_object`
+
+`PyString::from_object` took `&str` arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the `&str` data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).
+
+In PyO3 0.24.1 this function will now allocate a `CString` to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes `&CStr` arguments.
