CVE-2020-10735

3.6 is no longer maintained

bugs.txt

@@ -347,3 +347,7 @@ bpo-8674:
     author: Tomas Hoger
     date: 2010-05-10 13:43:22
     title: 'audioop: incorrect integer overflow checks'
+gh-95778:
+    author: gpshead
+    date: 2022-08-08 07:53:39
+    title: 'CVE-2020-10735: Prevent DoS by large int<->str conversions'

commit_dates.txt

@@ -23,6 +23,7 @@
 11bb2cdc6aa8db142a87de281b83293d500847b2: Tue May 11 13:05:30 2010 +0000
 11d258ceafdf60ab3840f9a5700f2d0ad3e2e2d1: Tue Aug 4 08:03:30 2020 +0530
 13a19139b5e76175bc95294d54afc9425e4f36c9: Fri Aug 9 08:22:19 2019 -0700
+15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2: Mon Sep 5 22:24:36 2022 -0700
 1698cacfb924d1df452e78d11a4bf81ae7777389: Sat Sep 28 09:33:00 2019 +0200
 16d63202af35dadd652a5e3eae687ea709e95b11: Wed Dec 12 12:05:59 2018 +0100
 16e6f7dee7f02bb81aa6b385b982dcdda5b99286: Thu Mar 7 08:02:26 2019 -0800
@@ -93,6 +94,7 @@
 4f06dae5d8d4400ba38d8502da620f07d4a5696e: Wed May 29 04:30:48 2019 +0200
 4fe82a8eef7aed60de05bfca0f2c322730ea921e: Sun Jul 14 09:04:15 2019 +0200
 4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd: Mon Nov 3 14:29:33 2014 -0500
+511ca9452033ef95bc7d7fc404b8161068226002: Fri Sep 2 09:35:08 2022 -0700
 51332c467ed2e07a191f903d554d0c54248e4d88: Fri Jan 31 13:12:20 2020 +1100
 515a7bc4e13645d0945b46a8e1d9102b918cd407: Wed May 5 10:25:29 2021 -0700
 516a6a254814d2bc6a90290dfc44d77fdfb4050b: Tue Jun 18 02:13:58 2019 +0200
@@ -174,6 +176,7 @@
 8e42fb7ada3198e66d3f060c5c87c52465a86e36: Sat Jul 3 13:46:01 2010 +0000
 8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1: Wed Jul 26 06:54:31 2017 +0300
 8eb64155ff26823542ccf0225b3d57b6ae36ea89: Tue Oct 1 19:58:01 2019 +0900
+8f0fa4bd10aba723aff988720cd26b93be99bc12: Fri Sep 2 09:51:49 2022 -0700
 90e01e50ef8a9e6c91f30d965563c378a4ad26de: Tue Jun 20 06:02:44 2017 -0700
 910886a6448e4bf1edf49eeace4aa240b6403772: Tue Aug 31 02:35:31 2021 -0400
 9165addc22d05e776a54319a8531ebd0b2fe01ef: Sat Mar 14 14:56:06 2020 -0400
@@ -217,6 +220,7 @@ b30ee26e366bf509b7538d79bfec6c6d38d53f28: Mon Jun 29 23:09:29 2020 +0530
 b3ac84322fe6dd542aa755779cdbc155edca8064: Sun Oct 12 08:50:11 2014 +0200
 b4bbee25b1e3f4bccac222f806b3138fb72439d6: Sat Jul 21 00:45:14 2012 +0200
 b57a73694e26e8b2391731b5ee0b1be59437388e: Thu Apr 2 03:16:17 2020 -0700
+b5e331fdb38684808ffc540d53e8595bdc408b89: Mon Sep 5 13:26:09 2022 -0700
 b664a1df4ee71d3760ab937653b10997081b1794: Tue Oct 6 05:37:36 2020 -0700
 b669bfc2bed1f5487ac2762bff53b55f6155bb60: Thu Mar 12 11:15:15 2015 +0200
 b98e7790c77a4378ec4b1c71b84138cb930b69b7: Wed Jul 1 00:50:21 2020 +0530
@@ -244,6 +248,7 @@ cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84: Thu Jul 16 21:48:01 2020 +0200
 cb5778f00ce48631c7140f33ba242496aaf7102b: Tue Sep 18 14:38:58 2018 +0200
 cb6085138a845f8324adc011b65754acc2086cc0: Fri Nov 22 06:42:13 2019 -0800
 cc54c1c0d2d05fe7404ba64c53df4b1352ed2262: Wed Jul 12 14:51:46 2017 +0200
+cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15: Mon Sep 5 02:21:03 2022 -0700
 cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9: Wed Jul 1 01:00:22 2020 +0530
 d0d4d30882fe3ab9b1badbecf5d15d94326fd13e: Mon Feb 15 10:34:14 2021 -0800
 d0e61bded5256e775e470e2c0da22367a1a81970: Wed Aug 16 18:05:57 2017 +0200
@@ -307,6 +312,7 @@ f4dac7ec55477a6c5d965e594e74bd6bda786903: Thu May 6 09:52:36 2021 -0700
 f61599b050c621386a3fc6bc480359e2d3bb93de: Tue Jun 4 09:40:16 2019 -0700
 f68d2d69f1da56c2aea1293ecf93ab69a6010ad7: Thu May 6 10:05:37 2021 -0700
 f7666e828cc3d5873136473ea36ba2013d624fa1: Tue Sep 18 06:14:13 2018 -0700
+f8b71da9aac6ea74808dcdd0cc266e705431356b: Fri Sep 2 09:48:57 2022 -0700
 f91a0b6df14d6c5133fe3d5889fad7d84fc0c046: Fri Jun 12 17:33:19 2020 +0200
 fa53dbdec818b0f2a0e22ca12a49d83ec948fc91: Fri Mar 10 01:49:11 2017 +0100
 faad6bbea6c86e30c770eb0a3648e2cd52b2e55e: Fri Dec 5 20:02:38 2014 -0500

commit_tags.txt

@@ -60,6 +60,8 @@
  3.5.10
 13a19139b5e76175bc95294d54afc9425e4f36c9
  3.6.10
+15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2
+ 3.7.14
 1698cacfb924d1df452e78d11a4bf81ae7777389
  3.6.10
 16d63202af35dadd652a5e3eae687ea709e95b11
@@ -436,6 +438,8 @@
  3.3.7
 8eb64155ff26823542ccf0225b3d57b6ae36ea89
  2.7.17
+8f0fa4bd10aba723aff988720cd26b93be99bc12
+ 3.10.7
 90e01e50ef8a9e6c91f30d965563c378a4ad26de
  3.7.0
 910886a6448e4bf1edf49eeace4aa240b6403772
@@ -538,6 +542,8 @@ b4bbee25b1e3f4bccac222f806b3138fb72439d6
  3.3.0
 b57a73694e26e8b2391731b5ee0b1be59437388e
  3.7.8
+b5e331fdb38684808ffc540d53e8595bdc408b89
+ 3.8.14
 b664a1df4ee71d3760ab937653b10997081b1794
  3.9.1
 b669bfc2bed1f5487ac2762bff53b55f6155bb60
@@ -599,6 +605,8 @@ cb6085138a845f8324adc011b65754acc2086cc0
  3.7.6
 cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
  3.4.7
+cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15
+ 3.9.14
 cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9
  3.6.12
 d0d4d30882fe3ab9b1badbecf5d15d94326fd13e

cve/CVE-2020-10735.json

@@ -0,0 +1,30 @@
+{
+    "Modified": "2022-09-14T11:15:00",
+    "Published": "2022-09-09T14:15:00",
+    "access": {},
+    "assigner": "secalert@redhat.com",
+    "cvss": null,
+    "cwe": "Unknown",
+    "id": "CVE-2020-10735",
+    "impact": {},
+    "last-modified": "2022-09-14T11:15:00",
+    "references": [
+        "https://access.redhat.com/security/cve/CVE-2020-10735",
+        "https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y",
+        "https://bugzilla.redhat.com/show_bug.cgi?id=1834423",
+        "https://github.com/python/cpython/issues/95778",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EWKR2SPX3JORLWCXFY3KN2U5B5CIUQQ/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VCU6EVQDIXNCEDJUCTFIER2WVNNDTYZ/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V7ZUJDHK7KNG6SLIFXW7MNZ6O2PUJYK6/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSRPVJZL6DJFWKYRHMNJB7VCEUCBKRF5/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XL6E5A3I36TRR73VNBOXNIQP4AMZDFZ/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4ZZV4CDFRMTPDBI7C5L43RFL3XLIGUY/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32AAQKABEKFCB5DDV5OONRZK6BS23HPW/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZYJSGLSCQOKXXFVJVJQAXLEOJBIWGEL/",
+        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT5WQB7Z3CXOWVBD2AFAHYPA5ONYFFZ4/"
+    ],
+    "summary": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.",
+    "vulnerable_configuration": [],
+    "vulnerable_configuration_cpe_2_2": [],
+    "vulnerable_product": []
+}

python_releases.txt

@@ -116,6 +116,7 @@
 3.7.11: 2021-06-28
 3.7.12: 2021-09-05
 3.7.13: 2022-03-16
+3.7.14: 2022-09-07
 
 3.8.0: 2019-10-14
 3.8.1: 2019-12-18
@@ -131,6 +132,7 @@
 3.8.11: 2021-06-28
 3.8.12: 2021-08-31
 3.8.13: 2022-03-16
+3.8.14: 2022-09-07
 
 3.9.0: 2020-10-05
 3.9.1: 2020-12-07
@@ -146,6 +148,7 @@
 3.9.11: 2022-03-16
 3.9.12: 2022-03-23
 3.9.13: 2022-05-17
+3.9.14: 2022-09-07
 
 3.10.0: 2021-10-04
 3.10.1: 2021-12-06
@@ -154,3 +157,4 @@
 3.10.4: 2022-03-24
 3.10.5: 2022-06-06
 3.10.6: 2022-08-02
+3.10.7: 2022-09-07

render_doc.py

@@ -17,8 +17,9 @@
 import yaml
 
 
-# Last update: 2020-10-06
-MAINTAINED_BRANCHES = ['3.6', '3.7', '3.8', '3.9']
+# Last update: 2022-09-14
+# https://devguide.python.org/versions/
+MAINTAINED_BRANCHES = ['3.7', '3.8', '3.9', '3.10']
 
 STATUS_BRANCHES = """
 `Status of Python branches

vulnerabilities.yaml

@@ -1879,17 +1879,85 @@
     bzip2 is a dependency of CPython, and its 1.0.6 version
     has the following two vulnerabilities.
 
-    CVE-2016-3189: 
-    A use-after-free flaw was found in bzip2recover, 
-    leading to a null pointer dereference, or a write to a closed file 
-    descriptor. An attacker could use this flaw by sending a specially 
+    CVE-2016-3189:
+    A use-after-free flaw was found in bzip2recover,
+    leading to a null pointer dereference, or a write to a closed file
+    descriptor. An attacker could use this flaw by sending a specially
     crafted bzip2 file to recover and force the program to crash.
 
-    CVE-2019-12900: 
-    BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds 
+    CVE-2019-12900:
+    BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
     write when there are many selectors.
 
     These vulnerabilities are fixed by updating bzip2 to 1.0.8 in Windows builds.
 
-    On Linux and macOS, you can fix them by specifying the dynamically link 
+    On Linux and macOS, you can fix them by specifying the dynamically link
     version of bzip2.
+
+- name: "Prevent DoS by large str-int conversions"
+  slug: large-int-str-dos
+  cve: CVE-2020-10735
+  gh: 95778
+  links:
+    - "`pydantic potential DOS when loading malicious JSON <https://github.com/pydantic/pydantic/issues/1477>`_ by Samuel Colvin (May 5, 2020)"
+    - "`Red Hat: CVE-2020-10735 <https://access.redhat.com/security/cve/CVE-2020-10735>`_"
+    - "LWN: `A Python security fix breaks (some) bignums <https://lwn.net/Articles/907572/>`_ (September 14, 2022)"
+    - "`Python releases 3.10.7, 3.9.14, 3.8.14, and 3.7.14 are now available <https://pythoninsider.blogspot.com/2022/09/python-releases-3107-3914-3814-and-3714.html>`_ (September 7, 2022)"
+  reported-at: "2020-05-05 (PSRT email)"
+  reported-by: "Larry Yuan"
+  fixed-in:
+   - '3.7': 15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2
+   - '3.8': b5e331fdb38684808ffc540d53e8595bdc408b89
+   - '3.9': cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15
+   - '3.10': 8f0fa4bd10aba723aff988720cd26b93be99bc12
+   - '3.11': f8b71da9aac6ea74808dcdd0cc266e705431356b
+   - '3.12': 511ca9452033ef95bc7d7fc404b8161068226002
+  description: |
+    A Denial Of Service (DoS) issue was identified in CPython because we use
+    binary bignum's for our int implementation. A huge integer will always
+    consume a near-quadratic amount of CPU time in conversion to or from a base
+    10 (decimal) string with a large number of digits. No efficient algorithm
+    exists to do otherwise.
+
+    It is quite common for Python code implementing network protocols and data
+    serialization to do int(untrusted_string_or_bytes_value) on input to get a
+    numeric value, without having limited the input length or to do
+    ``log("processing thing id %s", unknowingly_huge_integer)`` or any similar
+    concept to convert an int to a string without first checking its magnitude.
+    (http, json, xmlrpc, logging, loading large values into integer via
+    linear-time conversions such as hexadecimal stored in yaml, or anything
+    computing larger values based on user controlled inputs… which then wind up
+    attempting to output as decimal later on). All of these can suffer a CPU
+    consuming DoS in the face of untrusted data.
+
+    Everyone auditing all existing code for this, adding length guards, and
+    maintaining that practice everywhere is not feasible nor is it what we deem
+    the vast majority of our users want to do.
+
+    This issue has been reported to the Python Security Response Team multiple
+    times by a few different people since early 2020, most recently a few weeks
+    ago while I was in the middle of polishing up the PR so it’d be ready
+    before 3.11.0rc2.
+
+    After discussion on the Python Security Response Team mailing list the
+    conclusion was that we needed to limit the size of integer to string
+    conversions for non-linear time conversions (anything not a power-of-2
+    base) by default. And offer the ability to configure or disable this limit.
+
+    The fix adds ``PYTHONINTMAXSTRDIGITS=digits`` environment variable, ``-X
+    int_max_str_digits=digits`` command line option and
+    ``sys.set_int_max_str_digits(digits)`` function to configure the new limit.
+    Use a limit of ``0`` digits to disable the limit. The fix also adds
+    ``sys.get_int_max_str_digits()`` function and
+    ``sys.int_info.default_max_str_digits`` (compiled-in default limit) and
+    ``sys.int_info.str_digits_check_threshold`` (lowest accepted value for the
+    limit) variables
+
+    The ``json.load()`` denial of service was first reported as a `public
+    pydantic issue <https://github.com/pydantic/pydantic/issues/1477>`_ in May
+    2020. Then it was reported to the Python Security Response Team by multiple
+    persons:
+
+    * Larry Yuan (May 5, 2020)
+    * Tom Christie (May 6, 2020) via Sebastián Ramírez
+    * Mike Gagnon (August 3, 2022)