Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 868150 (CVE-2020-10735)

Summary: <dev-lang/python-{3.8.13_p8, 3.9.13_p6, 3.10.6_p4, 3.11.0_rc1_p2}, dev-python/pypy{,3}: Denial of service via abuse of bignum int type
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/python/cpython/issues/95778
https://foss.heptapod.net/pypy/pypy/-/issues/3805
Whiteboard: A3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 868240, 868243, 868246, 868555, 868558, 868561    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-03 04:31:54 UTC
Noticed from https://github.com/python/cpython/commit/511ca9452033ef95bc7d7fc404b8161068226002.

"Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds."

See https://github.com/python/cpython/issues/95778.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-09-03 06:58:22 UTC
That looks like a humongous thing to backport...
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-09-03 06:59:19 UTC
Oh, I see that there are backports for 3.11 and 3.10 already.  That's good.
Comment 3 Larry the Git Cow gentoo-dev 2022-09-03 09:37:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02aa8f369458eafa0cb6f41d988ed5d8d5d91539

commit 02aa8f369458eafa0cb6f41d988ed5d8d5d91539
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-09-03 09:12:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-09-03 09:36:58 +0000

    dev-lang/python: Backport bignum vuln. fix to 3.8.13_p7
    
    Bug: https://bugs.gentoo.org/868150
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p7.ebuild | 348 ++++++++++++++++++++++++++++++++
 2 files changed, 349 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52dec296c93128dcad53c35c3bcc3444513914d8

commit 52dec296c93128dcad53c35c3bcc3444513914d8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-09-03 09:02:13 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-09-03 09:36:57 +0000

    dev-lang/python: Backport bignum vuln. fix to 3.9.13_p5
    
    Bug: https://bugs.gentoo.org/868150
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p5.ebuild | 402 ++++++++++++++++++++++++++++++++
 2 files changed, 403 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b5c58a4edb18b0e05698cc34976f69fb3686660

commit 9b5c58a4edb18b0e05698cc34976f69fb3686660
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-09-03 08:55:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-09-03 09:36:56 +0000

    dev-lang/python: Backport bignum vuln. fix to 3.10.6_p3
    
    Bug: https://bugs.gentoo.org/868150
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.10.6_p3.ebuild | 407 ++++++++++++++++++++++++++++++++
 2 files changed, 408 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0604f03d329ad2dc5d8c3a2893cf3de071c0f60

commit f0604f03d329ad2dc5d8c3a2893cf3de071c0f60
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-09-03 08:40:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-09-03 09:36:56 +0000

    dev-lang/python: Backport bignum vuln. fix to 3.11.0_rc1_p1
    
    Bug: https://bugs.gentoo.org/868150
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                    |   1 +
 dev-lang/python/python-3.11.0_rc1_p1.ebuild | 481 ++++++++++++++++++++++++++++
 2 files changed, 482 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-12 14:54:31 UTC
Did pypy ever get fixed versions here?
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-12 15:08:44 UTC
(In reply to John Helmert III from comment #4)
> Did pypy ever get fixed versions here?

No.  I think at least part of the problem was fixed in hg but it didn't make it to a release yet.  The issue falls very much into the "debated" thing.