789603 – (CVE-2021-29510) <dev-python/pydantic-1.8.2: Use of "infinity" as an input to datetime and date fields causes infinite loop (CVE-2021-29510)

Bug 789603 (CVE-2021-29510) - <dev-python/pydantic-1.8.2: Use of "infinity" as an input to datetime and date fields causes infinite loop (CVE-2021-29510)

Summary: <dev-python/pydantic-1.8.2: Use of "infinity" as an input to datetime and dat...

Status:	RESOLVED FIXED

Alias:	CVE-2021-29510

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/samuelcolvin/pydan...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-05-12 08:04 UTC by Michał Górny
Modified:	2021-05-15 01:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-python/pydantic-1.8.2
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-05-12 08:04:24 UTC

Impact
Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU).

Patches
Pydantic is be patched with fixes available in the following versions:

v1.8.2
v1.7.4
v1.6.2
All these versions are available on pypi, and will be available on conda-forge soon.

See the changelog for details.

Comment 1 NATTkA bot gentoo-dev

2021-05-12 08:08:20 UTC

Unable to check for sanity:

> no match for package: dev-python/pydantic-1.8.2

Comment 2 Sam James archtester

2021-05-15 01:09:30 UTC

All done, thanks