diff options
| author | Gregory P. Smith <gps@google.com> | 2022-09-02 16:51:49 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-02 16:51:49 (GMT) |
| commit | 8f0fa4bd10aba723aff988720cd26b93be99bc12 (patch) | |
| tree | 533e993997f3f0135df42dfca9796996361ca504 /Doc/whatsnew | |
| parent | bbcb03e7b07ecf6f3ed0c308f72bc10f928c85a8 (diff) | |
| download | cpython-8f0fa4bd10aba723aff988720cd26b93be99bc12.zip cpython-8f0fa4bd10aba723aff988720cd26b93be99bc12.tar.gz cpython-8f0fa4bd10aba723aff988720cd26b93be99bc12.tar.bz2 | |
[3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96501)
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.
This PR comes fresh from a pile of work done in our private PSRT security response team repo.
This backports https://github.com/python/cpython/pull/96499 aka 511ca9452033ef95bc7d7fc404b8161068226002
Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
Diffstat (limited to 'Doc/whatsnew')
| -rw-r--r-- | Doc/whatsnew/3.10.rst | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst index 19ffd7e..16855c1 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -2322,3 +2322,19 @@ Removed * The ``PyThreadState.use_tracing`` member has been removed to optimize Python. (Contributed by Mark Shannon in :issue:`43760`.) + + +Notable security feature in 3.10.7 +================================== + +Converting between :class:`int` and :class:`str` in bases other than 2 +(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) +now raises a :exc:`ValueError` if the number of digits in string form is +above a limit to avoid potential denial of service attacks due to the +algorithmic complexity. This is a mitigation for `CVE-2020-10735 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. +This limit can be configured or disabled by environment variable, command +line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion +length limitation <int_max_str_digits>` documentation. The default limit +is 4300 digits in string form. + |