Package manager: pip
Affected modules: PySide6
Download stats: 1,031,587 montly (pypistats)
Repository: https://code.qt.io/cgit/pyside/pyside-setup.git/
Module description:
PySide6 is the official Python module from the Qt for Python project, which provides access to the complete Qt 6.0+ framework.
Read of the uninitialized memory. Possible risk: leak of sensitive data.
The raw process memory is exposed through a QImage instance.
The object's allocated memory is not zeroed, therefore the created image contains the raw bytes from the already freed memory. It could be used to steal highly sensitive data, such as private keys, auth tokens, session cookies or any other memory artifacts.
Note that other image types (QBitmap, QPixmap, etc) are also affected.
I've tested it on Ubuntu 24.04 LTS, Debian 12.
There is a simple PoC in file PoC.py. The PoC shows the two cases:
- leak the content of the deleted variable
- leak the arbitrary part of the memory
You could use the provided Dockerfile in order to preserve the environment.
- Build the image
docker build --tag pyside6-poc .- Run the image
docker run --rm pyside6-poc- Expected behaviour
> docker run --rm pyside6-poc
PySide6 image content: b'@TX\x95\xc1\x7f\x00\x00@TX\x95\xc1\x7f\x00\x00\x00\x13^\xf8BV\x00\x00\x00\x13^\xf8BV\x00\x00{"secret": "leaked!!!!"}{"secret": "leaked!!!!"}{"secret": "leaked!!!!"}{"secret": "leaked!!!!"}'Please note that the image contains the value of the secret variable and some memory addresses.