gh-119342: Fix a potential denial of service in plistlib

[serhiy-storchaka]

Reading a specially prepared small Plist file could cause OOM because file's read(n) preallocates a bytes object for reading the specified amount of data. Now plistlib reads large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file.

• Issue: Out-of-memory when loading a Plist #119342

[gpshead]

I've marked this Draft for now as discussion on this on the security response team list is not complete. (we'll summarize that in a public issue once it has settled)

[encukou]

See #119514 (comment) for results of the PSRT discussion.

[miss-islington-app]

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

[bedevere-app]

GH-142143 is a backport of this pull request to the 3.14 branch.

[miss-islington-app]

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.12

[miss-islington-app]

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.11

[bedevere-app]

GH-142144 is a backport of this pull request to the 3.13 branch.

[miss-islington-app]

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 694922cf40aa3a28f898b5f5ee08b71b4922df70 3.10

[bedevere-app]

GH-142149 is a backport of this pull request to the 3.12 branch.

[bedevere-app]

GH-142150 is a backport of this pull request to the 3.11 branch.

[bedevere-app]

GH-142151 is a backport of this pull request to the 3.10 branch.

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Debian root 3.14 (tier-1) has failed when building commit b64441e.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1742/builds/727) and take a look at the build logs.
4. Check if the failure is related to this commit (b64441e) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1742/builds/727

Summary of the results of the build (if available):

==

Click to see traceback logs

Traceback (most recent call last):
  File "/root/buildarea/3.14.angelico-debian-amd64/build/Lib/test/support/__init__.py", line 847, in gc_collect
    gc.collect()
ResourceWarning: unclosed file <_io.FileIO name=13 mode='wb' closefd=True>


Traceback (most recent call last):
  File "/root/buildarea/3.14.angelico-debian-amd64/build/Lib/test/support/__init__.py", line 847, in gc_collect
    gc.collect()
ResourceWarning: unclosed file <_io.FileIO name=11 mode='wb' closefd=True>