CVE-2021-3177

Name of the Vulnerable Software and Affected Versions: Python versions 3.x through 3.9.1

Description: The issue is related to a buffer overflow in the PyCArg repr function in ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. This occurs because sprintf is used unsafely. The vulnerability can be exploited when handling untrusted floating-point numbers in handlers that call C functions using the ctypes mechanism.

Recommendations: For Python versions 3.x through 3.9.1, update to a newer version that contains a fix for this issue, such as Python 3.7.10 or 3.6.13. For Python 3.8 and 3.9, wait for the release of the updated versions, which are currently in the release candidate stage. As a temporary workaround, consider restricting the use of the ctypes mechanism to minimize the risk of exploitation. Avoid using the c double.from param function with untrusted input until the issue is resolved.