Hi, I'm not against marking ply unsupported, but I must say the CVE is very questionable.
On Mon, Jun 08, 2026 at 04:15:11PM +0200, Sylvain Beucler wrote: > We are not able to get official security feedback, e.g. for: > https://www.openwall.com/lists/oss-security/2026/01/23/4 > which is both 9.8/critical: > https://nvd.nist.gov/vuln/detail/CVE-2025-56005 > and unimportant at Debian: > https://security-tracker.debian.org/tracker/CVE-2025-56005 > and disputed at independent pages: > https://github.com/tom025/ply_exploit_rejection I agree with this dispute. It is well known in the Python community to not load pickle files from unknown sources, preferably only when you are sure the pickle file came from your own program. And in PLY, its really meant to be pointed to a pickled version of the PLY result, IOW (de-)serializing the in-memory built executable code! If this CVE was valid, then I imagine the solution for it is to put in the docs "don't do this". Also: why is there no bug against src:ply? Best, Chris (a ply user)
