Bug 1834423 (CVE-2020-10735) - CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
Summary: CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amoun...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1847912 1896277 1896278 1896279 1896280 1896281 1896282 2124160 2124161 2124162 2124163 2125239 2126379 2126453 2126454 2126455 2158478
Blocks: 1832782 2124170
TreeView+ depends on / blocked
 
Reported: 2020-05-11 16:55 UTC by msiddiqu
Modified: 2024-01-24 16:49 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2023-05-16 16:49:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython issues 95778 0 None open CVE-2020-10735: Prevent DoS by large int<->str conversions 2022-09-02 06:41:43 UTC
Github python cpython pull 96499 0 None open gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96500 0 None open [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96501 0 None open [3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96502 0 None Draft [3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96503 0 None Draft [3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96504 0 None Draft [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Red Hat Product Errata RHSA-2022:6766 0 None None None 2022-10-03 15:20:01 UTC
Red Hat Product Errata RHSA-2022:7323 0 None None None 2022-11-02 14:33:40 UTC
Red Hat Product Errata RHSA-2023:0833 0 None None None 2023-02-21 09:21:36 UTC
Red Hat Product Errata RHSA-2023:2763 0 None None None 2023-05-16 08:09:54 UTC
Red Hat Product Errata RHSA-2023:2764 0 None None None 2023-05-16 08:10:01 UTC
Red Hat Product Errata RHSA-2024:0430 0 None None None 2024-01-24 16:49:32 UTC

Description msiddiqu 2020-05-11 16:55:17 UTC 
A vulnerability was found in PyLong_FromString() in Python, which is used by int("text"). For non-binary bases it uses an algorithm with quadratic time complexity to convert a string into an arbitrary precision number. It takes about 50ms to parse an int string with 100,000 digits and about 5sec for 1,000,000 digits. The float type, decimal type, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected.
Comment 2 lnacshon 2020-06-17 10:38:53 UTC 
Upstream Python is going to provide fixes for all supported Python versions (3.5, 3.6, 3.7, 3.8, 3.9-dev).
Comment 12 Sandipan Roy 2022-09-05 05:41:45 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2124161]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2124160]
Comment 13 Sandipan Roy 2022-09-05 05:43:47 UTC 
Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 2124162]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 2124163]
Comment 14 Miro Hrončok 2022-09-09 12:07:12 UTC 
(In reply to Sandipan Roy from comment #13)
> Created python34 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124162]
> 
> 
> Created python35 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124163]

Both of the packages are retired in Fedora for many releases :/
Comment 16 Fedora Update System 2022-09-13 01:27:35 UTC 
FEDORA-2022-4b31e33ed0 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Fedora Update System 2022-09-13 01:27:42 UTC 
FEDORA-2022-46a44a7f83 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 20 Fedora Update System 2022-09-14 00:21:35 UTC 
FEDORA-2022-b01214472e has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 21 Fedora Update System 2022-09-14 00:22:13 UTC 
FEDORA-2022-f330bbfda2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 22 Fedora Update System 2022-09-14 00:22:21 UTC 
FEDORA-2022-6d57598a23 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 23 Fedora Update System 2022-09-14 01:41:57 UTC 
FEDORA-2022-8535093cba has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 25 Fedora Update System 2022-09-23 01:20:33 UTC 
FEDORA-2022-0b3904c674 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 26 Fedora Update System 2022-09-25 01:43:19 UTC 
FEDORA-2022-ac82a548df has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2022-10-03 15:19:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766
Comment 29 errata-xmlrpc 2022-11-02 14:33:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7323 https://access.redhat.com/errata/RHSA-2022:7323
Comment 31 errata-xmlrpc 2023-02-21 09:21:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0833 https://access.redhat.com/errata/RHSA-2023:0833
Comment 32 Gilbert Liao 2023-04-21 18:48:47 UTC 
Hi Team,

RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan for python3.8/3.9 fixes? If yes, any expected timeframe?

Thanks.
Comment 33 msiddiqu 2023-05-08 07:58:15 UTC 
In reply to comment #32:
> Hi Team,
> 
> RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan
> for python3.8/3.9 fixes? If yes, any expected timeframe?
> 
> Thanks.

Unfortunately, the timeframe cannot be stated, however it is scheduled to be public upon the upcoming release of RHEL-8.8.0.GA
Comment 34 errata-xmlrpc 2023-05-16 08:09:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2763 https://access.redhat.com/errata/RHSA-2023:2763
Comment 35 errata-xmlrpc 2023-05-16 08:09:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2764 https://access.redhat.com/errata/RHSA-2023:2764
Comment 36 Product Security DevOps Team 2023-05-16 16:49:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10735
Comment 38 errata-xmlrpc 2024-01-24 16:49:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0430 https://access.redhat.com/errata/RHSA-2024:0430
Note You need to log in before you can comment on or make changes to this bug.