The following advisory describes 12 (twelve) vulnerabilities found in Python Bytecode Disassembler and Decompiler (pycdc).
Python Bytecode Disassembler and Decompiler (pycdc) “aims to translate compiled Python byte-code back into valid and human-readable Python source code. While other projects have achieved this with varied success, Decompyle++ is unique in that it seeks to support byte-code from any version of Python.”
The vulnerabilities found are:
- Heap buffer overflow (2)
- Null pointer (8)
- Global buffer overflow
- Singed integer overflow
An independent security researcher from Geeknik Labs has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Michael Hansen was informed of the vulnerability and release a patches to address them.
For more details: https://github.com/zrax/pycdc/commit/bf60a5831bd3d3c8aa0544c5aefab3310de5d615
At this time we will not disclose PoC – we may release these later when users of the python code have updated their systems.