Google Git
Sign in
android / platform / external / python / cpython3 / 8f0fa4bd10aba723aff988720cd26b93be99bc12
commit8f0fa4bd10aba723aff988720cd26b93be99bc12[log] [tgz]
authorGregory P. Smith <gps@google.com>Fri Sep 02 09:51:49 2022 -0700
committerGitHub <noreply@github.com>Fri Sep 02 09:51:49 2022 -0700
tree533e993997f3f0135df42dfca9796996361ca504
parentbbcb03e7b07ecf6f3ed0c308f72bc10f928c85a8 [diff]
[3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96501)

Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca9452033ef95bc7d7fc404b8161068226002

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
27 files changed
tree: 533e993997f3f0135df42dfca9796996361ca504
  1. .azure-pipelines/
  2. .github/
  3. Doc/
  4. Grammar/
  5. Include/
  6. Lib/
  7. Mac/
  8. Misc/
  9. Modules/
  10. Objects/
  11. Parser/
  12. PC/
  13. PCbuild/
  14. Programs/
  15. Python/
  16. Tools/
  17. .editorconfig
  18. .gitattributes
  19. .gitignore
  20. .travis.yml
  21. aclocal.m4
  22. CODE_OF_CONDUCT.md
  23. config.guess
  24. config.sub
  25. configure
  26. configure.ac
  27. install-sh
  28. LICENSE
  29. Makefile.pre.in
  30. netlify.toml
  31. pyconfig.h.in
  32. README.rst
  33. setup.py