Skip to content

00387: CVE-2020-10735: Prevent DoS by very large int() #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 5, 2022
Merged

00387: CVE-2020-10735: Prevent DoS by very large int() #51

merged 1 commit into from
Oct 5, 2022

Conversation

vstinner
Copy link

pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command line flag, or :mod:sys APIs. See the Integer String Conversion Length Limitation documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

  • Use "Python 3.6.16" version in the documentation, whereas this version will never be released
  • Only add _Py_global_config_int_max_str_digits global variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
  • sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is set to the default limit. Adapt test_int_max_str_digits() for that.
  • Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only if the Py_BUILD_CORE macro is defined.
  • Declare _Py_global_config_int_max_str_digits in pydebug.h.

@vstinner
Copy link
Author

@corona10 @mdickinson: Here is my backport of the CVE-2020-10735 to Python 3.6.

@mdickinson
Copy link

@vstinner Thank you for the link! This is very helpful.

hroncok
hroncok reviewed Sep 15, 2022
View reviewed changes
@vstinner
Copy link
Author

vstinner commented Oct 5, 2022

Update:

  • Replace (non existent) version 3.6.16 with (Fedora package version) 3.6.15-13
  • Backport error message fix (commit e841ffc)
  • Backport command line parsing fix (commit 4135166)

@vstinner
00387: CVE-2020-10735: Prevent DoS by very large int()
31cfb69 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
@vstinner
Copy link
Author

vstinner commented Oct 5, 2022

PR rebased on top of 3.6.15-12 fix.

@stratakis
Copy link
Member

Everything looks good, feel free to force-push.

@vstinner vstinner merged commit 31cfb69 into fedora-python:fedora-3.6 Oct 5, 2022
@vstinner vstinner deleted the fedora-3.6-maxdigits branch October 5, 2022 14:28
@vstinner
Copy link
Author

vstinner commented Oct 5, 2022
edited
Loading

I pushed the commit (git push origin HEAD) and created fedora-3.6.15-13 tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hroncok hroncok hroncok left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vstinner @mdickinson @stratakis @hroncok