Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 880629 (CVE-2022-45061)

Summary: <dev-lang/python-{3.8.15_p3,3.9.15_p3,3.10.8_p3,3.11.0_p2,3.12.0_alpha1_p2} <dev-python/pypy3-7.3.9_p9: CPU denial of service via inefficient IDNA decoder
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/python/cpython/issues/98433
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 880637, 880639, 880641, 880643, 880645    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:25:58 UTC 
CVE-2022-45061:

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Not sure if in any releases yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-10 00:32:46 UTC 
Thanks!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-15 15:20:52 UTC 
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-15 16:49:47 UTC 
Thank you!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:16:05 UTC 
GLSA requested
Comment 5 Larry the Git Cow gentoo-dev 2023-05-03 09:32:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)