1959951 – (CVE-2021-29510) CVE-2021-29510 python-pydantic: Use of "infinity" as an input to datetime and date fields causes infinite loop

Bug 1959951 (CVE-2021-29510) - CVE-2021-29510 python-pydantic: Use of "infinity" as an input to datetime and date fields causes infinite loop

Summary: CVE-2021-29510 python-pydantic: Use of "infinity" as an input to datetime and...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-29510
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1959952 1964011
Blocks:	1959953
TreeView+	depends on / blocked

Reported:	2021-05-12 17:31 UTC by Pedro Sampaio
Modified:	2021-11-04 14:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-04 14:58:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-05-12 17:31:32 UTC

Impact
Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU).

Patches
Pydantic is be patched with fixes available in the following versions:

v1.8.2
v1.7.4
v1.6.2
All these versions are available on pypi, and will be available on conda-forge soon.

See the changelog for details.

References:

https://pydantic-docs.helpmanual.io/changelog/

Comment 1 Pedro Sampaio 2021-05-12 17:31:57 UTC

Created python-pydantic tracking bugs for this issue:

Affects: fedora-all [bug 1959952]

Note You need to log in before you can comment on or make changes to this bug.