Skip to content

[3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() #96503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ambv merged 17 commits into from
Sep 5, 2022
Merged

[3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() #96503

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
b518238
Backport to 3.8 of psrt/CVE-2020-10735-3.10backport.
gpshead Aug 19, 2022
504e82f
Fix the versionchanged/addeds to 3.8.14.
gpshead Aug 30, 2022
cae5eba
add the attribution to the NEWS entry.
gpshead Aug 30, 2022
cd54fc3
Backport the Parser/pegen.c change for a good SyntaxError to ast.c.
gpshead Aug 30, 2022
eb68f9c
Add Whats New entry.
gpshead Aug 30, 2022
75bbbbf
Manually add new field to abi file
tiran Sep 1, 2022
14467fc
Move the whatsnew text per review.
gpshead Sep 1, 2022
1e39232
Merge branch 'CVE-2020-10735-3.8backport' of github.com:python/psrt i…
gpshead Sep 1, 2022
70b9aef
Make the doctest actually run & fix it.
gpshead Sep 1, 2022
7eb255f
Fix the docs build.
gpshead Sep 2, 2022
0504ecb
Rename the news file to appease the Bedevere bot.
gpshead Sep 2, 2022
8acc891
hexadecimal spelling =)
gpshead Sep 2, 2022
52f2c26
doc typo: limitation
gpshead Sep 4, 2022
510349b
Misc: Fix a typo in the header comment.
gpshead Sep 4, 2022
ac99726
remove unneeded doc note on float.as_integer_ratio
gpshead Sep 4, 2022
17bd053
gh-95778: Correctly pre-check for int-to-str conversion (#96537)
mdickinson Sep 4, 2022
c9212d5
Use the 3.8 Get API for it to compile.
gpshead Sep 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Move the whatsnew text per review. 
Ned pointed this out on the 3.7 branch, it matches other patch changes
and stands out better.
  • Loading branch information
@gpshead
gpshead committed Sep 1, 2022
commit 14467fc70e7c5df205bff2864b6488aa3d6398e5
26 changes: 14 additions & 12 deletions Doc/whatsnew/3.8.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -538,18 +538,6 @@ Other Language Changes
:meth:`~__setstate__` method.
(Contributed by Pierre Glaser and Olivier Grisel in :issue:`35900`.)

* New security feature in 3.8.14:
Converting between :class:`int` and :class:`str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexidecimal), or 32 such as base 10 (decimal)
now raises a :exc:`ValueError` if the number of digits in string form is
above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for `CVE-2020-10735
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
This limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
length limitation <int_max_str_digits>` documentation. The default limit
is 4300 digits in string form.

New Modules
===========

Expand Down Expand Up @@ -2337,3 +2325,17 @@ any leading zeros.

(Originally contributed by Christian Heimes in :issue:`36384`, and backported
to 3.8 by Achraf Merzouki)

Notable security feature in 3.8.14
==================================

Converting between :class:`int` and :class:`str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexidecimal), or 32 such as base 10 (decimal)
now raises a :exc:`ValueError` if the number of digits in string form is
above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for `CVE-2020-10735
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
This limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
length limitation <int_max_str_digits>` documentation. The default limit
is 4300 digits in string form.