Bug 1834423 (CVE-2020-10735) - CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
Summary: CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amoun...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1847912 1896277 1896278 1896279 1896280 1896281 1896282 2124160 2124161 2124162 2124163 2125239 2126379 2126453 2126454 2126455 2158478
Blocks: 1832782 2124170
TreeView+ depends on / blocked
 
Reported: 2020-05-11 16:55 UTC by msiddiqu
Modified: 2024-01-24 16:49 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2023-05-16 16:49:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython issues 95778 0 None open CVE-2020-10735: Prevent DoS by large int<->str conversions 2022-09-02 06:41:43 UTC
Github python cpython pull 96499 0 None open gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96500 0 None open [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96501 0 None open [3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96502 0 None Draft [3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96503 0 None Draft [3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96504 0 None Draft [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Red Hat Product Errata RHSA-2022:6766 0 None None None 2022-10-03 15:20:01 UTC
Red Hat Product Errata RHSA-2022:7323 0 None None None 2022-11-02 14:33:40 UTC
Red Hat Product Errata RHSA-2023:0833 0 None None None 2023-02-21 09:21:36 UTC
Red Hat Product Errata RHSA-2023:2763 0 None None None 2023-05-16 08:09:54 UTC
Red Hat Product Errata RHSA-2023:2764 0 None None None 2023-05-16 08:10:01 UTC
Red Hat Product Errata RHSA-2024:0430 0 None None None 2024-01-24 16:49:32 UTC

Description msiddiqu 2020-05-11 16:55:17 UTC
A vulnerability was found in PyLong_FromString() in Python, which is used by int("text"). For non-binary bases it uses an algorithm with quadratic time complexity to convert a string into an arbitrary precision number. It takes about 50ms to parse an int string with 100,000 digits and about 5sec for 1,000,000 digits. The float type, decimal type, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected.

Comment 2 lnacshon 2020-06-17 10:38:53 UTC
Upstream Python is going to provide fixes for all supported Python versions (3.5, 3.6, 3.7, 3.8, 3.9-dev).

Comment 12 Sandipan Roy 2022-09-05 05:41:45 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2124161]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2124160]

Comment 13 Sandipan Roy 2022-09-05 05:43:47 UTC
Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 2124162]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 2124163]

Comment 14 Miro Hrončok 2022-09-09 12:07:12 UTC
(In reply to Sandipan Roy from comment #13)
> Created python34 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124162]
> 
> 
> Created python35 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124163]

Both of the packages are retired in Fedora for many releases :/

Comment 16 Fedora Update System 2022-09-13 01:27:35 UTC
FEDORA-2022-4b31e33ed0 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2022-09-13 01:27:42 UTC
FEDORA-2022-46a44a7f83 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2022-09-14 00:21:35 UTC
FEDORA-2022-b01214472e has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2022-09-14 00:22:13 UTC
FEDORA-2022-f330bbfda2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 Fedora Update System 2022-09-14 00:22:21 UTC
FEDORA-2022-6d57598a23 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 23 Fedora Update System 2022-09-14 01:41:57 UTC
FEDORA-2022-8535093cba has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Fedora Update System 2022-09-23 01:20:33 UTC
FEDORA-2022-0b3904c674 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 26 Fedora Update System 2022-09-25 01:43:19 UTC
FEDORA-2022-ac82a548df has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 27 errata-xmlrpc 2022-10-03 15:19:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766

Comment 29 errata-xmlrpc 2022-11-02 14:33:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7323 https://access.redhat.com/errata/RHSA-2022:7323

Comment 31 errata-xmlrpc 2023-02-21 09:21:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0833 https://access.redhat.com/errata/RHSA-2023:0833

Comment 32 Gilbert Liao 2023-04-21 18:48:47 UTC
Hi Team,

RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan for python3.8/3.9 fixes? If yes, any expected timeframe?

Thanks.

Comment 33 msiddiqu 2023-05-08 07:58:15 UTC
In reply to comment #32:
> Hi Team,
> 
> RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan
> for python3.8/3.9 fixes? If yes, any expected timeframe?
> 
> Thanks.

Unfortunately, the timeframe cannot be stated, however it is scheduled to be public upon the upcoming release of RHEL-8.8.0.GA

Comment 34 errata-xmlrpc 2023-05-16 08:09:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2763 https://access.redhat.com/errata/RHSA-2023:2763

Comment 35 errata-xmlrpc 2023-05-16 08:09:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2764 https://access.redhat.com/errata/RHSA-2023:2764

Comment 36 Product Security DevOps Team 2023-05-16 16:49:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10735

Comment 38 errata-xmlrpc 2024-01-24 16:49:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0430 https://access.redhat.com/errata/RHSA-2024:0430


Note You need to log in before you can comment on or make changes to this bug.