Full title: Python 3.4 / 3.5 xmlparse_setattro() Type Confusion Vulnerability 
Category: remote exploits
Platform: python
Python versions 3.4 and 3.5 suffer from a vulnerability caused by the behavior of the xmlparse_setattro() function. When called, the function uses the provided name argument in several conditional statements which assume that the name argument is a string. However, if a name argument is provided that is not a string, this logic will make several calls to PyUnicode_CompareWithASCIIString that expect a string, yet receive some other type of object, leading to a type confusion vulnerability.

# 0day.today @ http://0day.today/