Candidate: CVE-2019-19275
PublicDate: 2019-11-26 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19275
 https://bugs.python.org/issue36495
 https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce
 https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b
 https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e
 https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c
Description:
 typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An
 attacker with the ability to cause a Python interpreter to parse Python
 source (but not necessarily execute it) may be able to crash the
 interpreter process. This could be a concern, for example, in a web-based
 service that parses (but does not execute) Python code. (This issue also
 affected certain Python 3.8.0-alpha prereleases.)
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_python3-typed-ast:
upstream_python3-typed-ast: released (1.4.0-1)
precise/esm_python3-typed-ast: DNE
trusty_python3-typed-ast: ignored (out of standard support)
trusty/esm_python3-typed-ast: DNE
xenial_python3-typed-ast: DNE
bionic_python3-typed-ast: needs-triage
disco_python3-typed-ast: ignored (reached end-of-life)
eoan_python3-typed-ast: not-affected (1.4.0-1)
focal_python3-typed-ast: not-affected
groovy_python3-typed-ast: not-affected
hirsute_python3-typed-ast: not-affected
impish_python3-typed-ast: not-affected
jammy_python3-typed-ast: not-affected
devel_python3-typed-ast: not-affected