CVE-2019-19274

NameCVE-2019-19274
Descriptiontyped_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python3-typed-ast (PTS)bullseye1.4.2-1fixed
bookworm1.5.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python3-typed-astsourcestretch(not affected)
python3-typed-astsource(unstable)1.4.0-1low

Notes

[buster] - python3-typed-ast <no-dsa> (Minor issue)
[stretch] - python3-typed-ast <not-affected> (Vulnerable code introduced later)
https://bugs.python.org/issue36495
Introduced by: https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce (1.3.0)
Fixed by: https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b (1.3.2)
Search for package or bug name: Reporting problems