Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 789603 (CVE-2021-29510) - <dev-python/pydantic-1.8.2: Use of "infinity" as an input to datetime and date fields causes infinite loop (CVE-2021-29510)
Summary: <dev-python/pydantic-1.8.2: Use of "infinity" as an input to datetime and dat...
Status: RESOLVED FIXED
Alias: CVE-2021-29510
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/samuelcolvin/pydan...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-12 08:04 UTC by Michał Górny
Modified: 2021-05-15 01:09 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/pydantic-1.8.2
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-12 08:04:24 UTC
Impact
Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU).

Patches
Pydantic is be patched with fixes available in the following versions:

v1.8.2
v1.7.4
v1.6.2
All these versions are available on pypi, and will be available on conda-forge soon.

See the changelog for details.
Comment 1 NATTkA bot gentoo-dev 2021-05-12 08:08:20 UTC
Unable to check for sanity:

> no match for package: dev-python/pydantic-1.8.2
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:09:30 UTC
All done, thanks