Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880629 (CVE-2022-45061) - <dev-lang/python-{3.8.15_p3,3.9.15_p3,3.10.8_p3,3.11.0_p2,3.12.0_alpha1_p2} <dev-python/pypy3-7.3.9_p9: CPU denial of service via inefficient IDNA decoder
Summary: <dev-lang/python-{3.8.15_p3,3.9.15_p3,3.10.8_p3,3.11.0_p2,3.12.0_alpha1_p2} <...
Status: IN_PROGRESS
Alias: CVE-2022-45061
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/python/cpython/iss...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 880637 880639 880641 880643 880645
Blocks:
  Show dependency tree
 
Reported: 2022-11-09 16:25 UTC by John Helmert III
Modified: 2022-11-19 01:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:25:58 UTC
CVE-2022-45061:

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Not sure if in any releases yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-10 00:32:46 UTC
Thanks!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-15 15:20:52 UTC
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-15 16:49:47 UTC
Thank you!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:16:05 UTC
GLSA requested