Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1834423 (CVE-2020-10735) - CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
Summary: CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amoun...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1847912 1896277 1896279 1896280 1896282 2124160 2124161 2124162 2124163 2125239 2126379 2126453 2126454 2126455 2158478
Blocks: 2124170
TreeView+ depends on / blocked
 
Reported: 2020-05-11 16:55 UTC by msiddiqu
Modified: 2024-01-24 16:49 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2023-05-16 16:49:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython issues 95778 0 None open CVE-2020-10735: Prevent DoS by large int<->str conversions 2022-09-02 06:41:43 UTC
Github python cpython pull 96499 0 None open gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96500 0 None open [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96501 0 None open [3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96502 0 None Draft [3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96503 0 None Draft [3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Github python cpython pull 96504 0 None Draft [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() 2022-09-02 06:41:43 UTC
Red Hat Product Errata RHSA-2022:6766 0 None None None 2022-10-03 15:20:01 UTC
Red Hat Product Errata RHSA-2022:7323 0 None None None 2022-11-02 14:33:40 UTC
Red Hat Product Errata RHSA-2023:0833 0 None None None 2023-02-21 09:21:36 UTC
Red Hat Product Errata RHSA-2023:2763 0 None None None 2023-05-16 08:09:54 UTC
Red Hat Product Errata RHSA-2023:2764 0 None None None 2023-05-16 08:10:01 UTC
Red Hat Product Errata RHSA-2024:0430 0 None None None 2024-01-24 16:49:32 UTC

Description msiddiqu 2020-05-11 16:55:17 UTC
A vulnerability was found in PyLong_FromString() in Python, which is used by int("text"). For non-binary bases it uses an algorithm with quadratic time complexity to convert a string into an arbitrary precision number. It takes about 50ms to parse an int string with 100,000 digits and about 5sec for 1,000,000 digits. The float type, decimal type, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected.

Comment 2 lnacshon 2020-06-17 10:38:53 UTC
Upstream Python is going to provide fixes for all supported Python versions (3.5, 3.6, 3.7, 3.8, 3.9-dev).

Comment 12 Sandipan Roy 2022-09-05 05:41:45 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2124161]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2124160]

Comment 13 Sandipan Roy 2022-09-05 05:43:47 UTC
Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 2124162]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 2124163]

Comment 14 Miro Hrončok 2022-09-09 12:07:12 UTC
(In reply to Sandipan Roy from comment #13)
> Created python34 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124162]
> 
> 
> Created python35 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2124163]

Both of the packages are retired in Fedora for many releases :/

Comment 16 Fedora Update System 2022-09-13 01:27:35 UTC
FEDORA-2022-4b31e33ed0 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2022-09-13 01:27:42 UTC
FEDORA-2022-46a44a7f83 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2022-09-14 00:21:35 UTC
FEDORA-2022-b01214472e has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2022-09-14 00:22:13 UTC
FEDORA-2022-f330bbfda2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 Fedora Update System 2022-09-14 00:22:21 UTC
FEDORA-2022-6d57598a23 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 23 Fedora Update System 2022-09-14 01:41:57 UTC
FEDORA-2022-8535093cba has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Fedora Update System 2022-09-23 01:20:33 UTC
FEDORA-2022-0b3904c674 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 26 Fedora Update System 2022-09-25 01:43:19 UTC
FEDORA-2022-ac82a548df has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 27 errata-xmlrpc 2022-10-03 15:19:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766

Comment 29 errata-xmlrpc 2022-11-02 14:33:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7323 https://access.redhat.com/errata/RHSA-2022:7323

Comment 31 errata-xmlrpc 2023-02-21 09:21:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0833 https://access.redhat.com/errata/RHSA-2023:0833

Comment 32 Gilbert Liao 2023-04-21 18:48:47 UTC
Hi Team,

RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan for python3.8/3.9 fixes? If yes, any expected timeframe?

Thanks.

Comment 33 msiddiqu 2023-05-08 07:58:15 UTC
In reply to comment #32:
> Hi Team,
> 
> RHSA-2023:0833 only provides fix for python3.6 on RHEL8, is there any plan
> for python3.8/3.9 fixes? If yes, any expected timeframe?
> 
> Thanks.

Unfortunately, the timeframe cannot be stated, however it is scheduled to be public upon the upcoming release of RHEL-8.8.0.GA

Comment 34 errata-xmlrpc 2023-05-16 08:09:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2763 https://access.redhat.com/errata/RHSA-2023:2763

Comment 35 errata-xmlrpc 2023-05-16 08:09:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2764 https://access.redhat.com/errata/RHSA-2023:2764

Comment 36 Product Security DevOps Team 2023-05-16 16:49:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10735

Comment 38 errata-xmlrpc 2024-01-24 16:49:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0430 https://access.redhat.com/errata/RHSA-2024:0430


Note You need to log in before you can comment on or make changes to this bug.