Noticed from https://github.com/python/cpython/commit/511ca9452033ef95bc7d7fc404b8161068226002. "Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds." See https://github.com/python/cpython/issues/95778.
That looks like a humongous thing to backport...
Oh, I see that there are backports for 3.11 and 3.10 already. That's good.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02aa8f369458eafa0cb6f41d988ed5d8d5d91539 commit 02aa8f369458eafa0cb6f41d988ed5d8d5d91539 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 09:12:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:58 +0000 dev-lang/python: Backport bignum vuln. fix to 3.8.13_p7 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.13_p7.ebuild | 348 ++++++++++++++++++++++++++++++++ 2 files changed, 349 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52dec296c93128dcad53c35c3bcc3444513914d8 commit 52dec296c93128dcad53c35c3bcc3444513914d8 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 09:02:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:57 +0000 dev-lang/python: Backport bignum vuln. fix to 3.9.13_p5 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.13_p5.ebuild | 402 ++++++++++++++++++++++++++++++++ 2 files changed, 403 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b5c58a4edb18b0e05698cc34976f69fb3686660 commit 9b5c58a4edb18b0e05698cc34976f69fb3686660 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 08:55:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:56 +0000 dev-lang/python: Backport bignum vuln. fix to 3.10.6_p3 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.6_p3.ebuild | 407 ++++++++++++++++++++++++++++++++ 2 files changed, 408 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0604f03d329ad2dc5d8c3a2893cf3de071c0f60 commit f0604f03d329ad2dc5d8c3a2893cf3de071c0f60 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 08:40:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:56 +0000 dev-lang/python: Backport bignum vuln. fix to 3.11.0_rc1_p1 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.11.0_rc1_p1.ebuild | 481 ++++++++++++++++++++++++++++ 2 files changed, 482 insertions(+)
Did pypy ever get fixed versions here?
(In reply to John Helmert III from comment #4) > Did pypy ever get fixed versions here? No. I think at least part of the problem was fixed in hg but it didn't make it to a release yet. The issue falls very much into the "debated" thing.