diff --git a/bugs.txt b/bugs.txt index 2990dd6..57c9101 100644 --- a/bugs.txt +++ b/bugs.txt @@ -347,3 +347,7 @@ bpo-8674: author: Tomas Hoger date: 2010-05-10 13:43:22 title: 'audioop: incorrect integer overflow checks' +gh-95778: + author: gpshead + date: 2022-08-08 07:53:39 + title: 'CVE-2020-10735: Prevent DoS by large int<->str conversions' diff --git a/commit_dates.txt b/commit_dates.txt index 55e0493..ad9d453 100644 --- a/commit_dates.txt +++ b/commit_dates.txt @@ -23,6 +23,7 @@ 11bb2cdc6aa8db142a87de281b83293d500847b2: Tue May 11 13:05:30 2010 +0000 11d258ceafdf60ab3840f9a5700f2d0ad3e2e2d1: Tue Aug 4 08:03:30 2020 +0530 13a19139b5e76175bc95294d54afc9425e4f36c9: Fri Aug 9 08:22:19 2019 -0700 +15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2: Mon Sep 5 22:24:36 2022 -0700 1698cacfb924d1df452e78d11a4bf81ae7777389: Sat Sep 28 09:33:00 2019 +0200 16d63202af35dadd652a5e3eae687ea709e95b11: Wed Dec 12 12:05:59 2018 +0100 16e6f7dee7f02bb81aa6b385b982dcdda5b99286: Thu Mar 7 08:02:26 2019 -0800 @@ -93,6 +94,7 @@ 4f06dae5d8d4400ba38d8502da620f07d4a5696e: Wed May 29 04:30:48 2019 +0200 4fe82a8eef7aed60de05bfca0f2c322730ea921e: Sun Jul 14 09:04:15 2019 +0200 4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd: Mon Nov 3 14:29:33 2014 -0500 +511ca9452033ef95bc7d7fc404b8161068226002: Fri Sep 2 09:35:08 2022 -0700 51332c467ed2e07a191f903d554d0c54248e4d88: Fri Jan 31 13:12:20 2020 +1100 515a7bc4e13645d0945b46a8e1d9102b918cd407: Wed May 5 10:25:29 2021 -0700 516a6a254814d2bc6a90290dfc44d77fdfb4050b: Tue Jun 18 02:13:58 2019 +0200 @@ -174,6 +176,7 @@ 8e42fb7ada3198e66d3f060c5c87c52465a86e36: Sat Jul 3 13:46:01 2010 +0000 8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1: Wed Jul 26 06:54:31 2017 +0300 8eb64155ff26823542ccf0225b3d57b6ae36ea89: Tue Oct 1 19:58:01 2019 +0900 +8f0fa4bd10aba723aff988720cd26b93be99bc12: Fri Sep 2 09:51:49 2022 -0700 90e01e50ef8a9e6c91f30d965563c378a4ad26de: Tue Jun 20 06:02:44 2017 -0700 910886a6448e4bf1edf49eeace4aa240b6403772: Tue Aug 31 02:35:31 2021 -0400 9165addc22d05e776a54319a8531ebd0b2fe01ef: Sat Mar 14 14:56:06 2020 -0400 @@ -217,6 +220,7 @@ b30ee26e366bf509b7538d79bfec6c6d38d53f28: Mon Jun 29 23:09:29 2020 +0530 b3ac84322fe6dd542aa755779cdbc155edca8064: Sun Oct 12 08:50:11 2014 +0200 b4bbee25b1e3f4bccac222f806b3138fb72439d6: Sat Jul 21 00:45:14 2012 +0200 b57a73694e26e8b2391731b5ee0b1be59437388e: Thu Apr 2 03:16:17 2020 -0700 +b5e331fdb38684808ffc540d53e8595bdc408b89: Mon Sep 5 13:26:09 2022 -0700 b664a1df4ee71d3760ab937653b10997081b1794: Tue Oct 6 05:37:36 2020 -0700 b669bfc2bed1f5487ac2762bff53b55f6155bb60: Thu Mar 12 11:15:15 2015 +0200 b98e7790c77a4378ec4b1c71b84138cb930b69b7: Wed Jul 1 00:50:21 2020 +0530 @@ -244,6 +248,7 @@ cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84: Thu Jul 16 21:48:01 2020 +0200 cb5778f00ce48631c7140f33ba242496aaf7102b: Tue Sep 18 14:38:58 2018 +0200 cb6085138a845f8324adc011b65754acc2086cc0: Fri Nov 22 06:42:13 2019 -0800 cc54c1c0d2d05fe7404ba64c53df4b1352ed2262: Wed Jul 12 14:51:46 2017 +0200 +cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15: Mon Sep 5 02:21:03 2022 -0700 cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9: Wed Jul 1 01:00:22 2020 +0530 d0d4d30882fe3ab9b1badbecf5d15d94326fd13e: Mon Feb 15 10:34:14 2021 -0800 d0e61bded5256e775e470e2c0da22367a1a81970: Wed Aug 16 18:05:57 2017 +0200 @@ -307,6 +312,7 @@ f4dac7ec55477a6c5d965e594e74bd6bda786903: Thu May 6 09:52:36 2021 -0700 f61599b050c621386a3fc6bc480359e2d3bb93de: Tue Jun 4 09:40:16 2019 -0700 f68d2d69f1da56c2aea1293ecf93ab69a6010ad7: Thu May 6 10:05:37 2021 -0700 f7666e828cc3d5873136473ea36ba2013d624fa1: Tue Sep 18 06:14:13 2018 -0700 +f8b71da9aac6ea74808dcdd0cc266e705431356b: Fri Sep 2 09:48:57 2022 -0700 f91a0b6df14d6c5133fe3d5889fad7d84fc0c046: Fri Jun 12 17:33:19 2020 +0200 fa53dbdec818b0f2a0e22ca12a49d83ec948fc91: Fri Mar 10 01:49:11 2017 +0100 faad6bbea6c86e30c770eb0a3648e2cd52b2e55e: Fri Dec 5 20:02:38 2014 -0500 diff --git a/commit_tags.txt b/commit_tags.txt index 519542d..a046aa4 100644 --- a/commit_tags.txt +++ b/commit_tags.txt @@ -60,6 +60,8 @@ 3.5.10 13a19139b5e76175bc95294d54afc9425e4f36c9 3.6.10 +15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2 + 3.7.14 1698cacfb924d1df452e78d11a4bf81ae7777389 3.6.10 16d63202af35dadd652a5e3eae687ea709e95b11 @@ -436,6 +438,8 @@ 3.3.7 8eb64155ff26823542ccf0225b3d57b6ae36ea89 2.7.17 +8f0fa4bd10aba723aff988720cd26b93be99bc12 + 3.10.7 90e01e50ef8a9e6c91f30d965563c378a4ad26de 3.7.0 910886a6448e4bf1edf49eeace4aa240b6403772 @@ -538,6 +542,8 @@ b4bbee25b1e3f4bccac222f806b3138fb72439d6 3.3.0 b57a73694e26e8b2391731b5ee0b1be59437388e 3.7.8 +b5e331fdb38684808ffc540d53e8595bdc408b89 + 3.8.14 b664a1df4ee71d3760ab937653b10997081b1794 3.9.1 b669bfc2bed1f5487ac2762bff53b55f6155bb60 @@ -599,6 +605,8 @@ cb6085138a845f8324adc011b65754acc2086cc0 3.7.6 cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 3.4.7 +cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15 + 3.9.14 cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9 3.6.12 d0d4d30882fe3ab9b1badbecf5d15d94326fd13e diff --git a/cve/CVE-2020-10735.json b/cve/CVE-2020-10735.json new file mode 100644 index 0000000..4b19263 --- /dev/null +++ b/cve/CVE-2020-10735.json @@ -0,0 +1,30 @@ +{ + "Modified": "2022-09-14T11:15:00", + "Published": "2022-09-09T14:15:00", + "access": {}, + "assigner": "secalert@redhat.com", + "cvss": null, + "cwe": "Unknown", + "id": "CVE-2020-10735", + "impact": {}, + "last-modified": "2022-09-14T11:15:00", + "references": [ + "https://access.redhat.com/security/cve/CVE-2020-10735", + "https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y", + "https://bugzilla.redhat.com/show_bug.cgi?id=1834423", + "https://github.com/python/cpython/issues/95778", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EWKR2SPX3JORLWCXFY3KN2U5B5CIUQQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VCU6EVQDIXNCEDJUCTFIER2WVNNDTYZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V7ZUJDHK7KNG6SLIFXW7MNZ6O2PUJYK6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSRPVJZL6DJFWKYRHMNJB7VCEUCBKRF5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XL6E5A3I36TRR73VNBOXNIQP4AMZDFZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4ZZV4CDFRMTPDBI7C5L43RFL3XLIGUY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32AAQKABEKFCB5DDV5OONRZK6BS23HPW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZYJSGLSCQOKXXFVJVJQAXLEOJBIWGEL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT5WQB7Z3CXOWVBD2AFAHYPA5ONYFFZ4/" + ], + "summary": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", + "vulnerable_configuration": [], + "vulnerable_configuration_cpe_2_2": [], + "vulnerable_product": [] +} \ No newline at end of file diff --git a/python_releases.txt b/python_releases.txt index 9c001b1..f8b4c48 100644 --- a/python_releases.txt +++ b/python_releases.txt @@ -116,6 +116,7 @@ 3.7.11: 2021-06-28 3.7.12: 2021-09-05 3.7.13: 2022-03-16 +3.7.14: 2022-09-07 3.8.0: 2019-10-14 3.8.1: 2019-12-18 @@ -131,6 +132,7 @@ 3.8.11: 2021-06-28 3.8.12: 2021-08-31 3.8.13: 2022-03-16 +3.8.14: 2022-09-07 3.9.0: 2020-10-05 3.9.1: 2020-12-07 @@ -146,6 +148,7 @@ 3.9.11: 2022-03-16 3.9.12: 2022-03-23 3.9.13: 2022-05-17 +3.9.14: 2022-09-07 3.10.0: 2021-10-04 3.10.1: 2021-12-06 @@ -154,3 +157,4 @@ 3.10.4: 2022-03-24 3.10.5: 2022-06-06 3.10.6: 2022-08-02 +3.10.7: 2022-09-07 diff --git a/render_doc.py b/render_doc.py index 8d9d017..a889614 100644 --- a/render_doc.py +++ b/render_doc.py @@ -17,8 +17,9 @@ import yaml -# Last update: 2020-10-06 -MAINTAINED_BRANCHES = ['3.6', '3.7', '3.8', '3.9'] +# Last update: 2022-09-14 +# https://devguide.python.org/versions/ +MAINTAINED_BRANCHES = ['3.7', '3.8', '3.9', '3.10'] STATUS_BRANCHES = """ `Status of Python branches diff --git a/vulnerabilities.yaml b/vulnerabilities.yaml index 32e8789..adc0586 100644 --- a/vulnerabilities.yaml +++ b/vulnerabilities.yaml @@ -1879,17 +1879,85 @@ bzip2 is a dependency of CPython, and its 1.0.6 version has the following two vulnerabilities. - CVE-2016-3189: - A use-after-free flaw was found in bzip2recover, - leading to a null pointer dereference, or a write to a closed file - descriptor. An attacker could use this flaw by sending a specially + CVE-2016-3189: + A use-after-free flaw was found in bzip2recover, + leading to a null pointer dereference, or a write to a closed file + descriptor. An attacker could use this flaw by sending a specially crafted bzip2 file to recover and force the program to crash. - CVE-2019-12900: - BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds + CVE-2019-12900: + BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. These vulnerabilities are fixed by updating bzip2 to 1.0.8 in Windows builds. - On Linux and macOS, you can fix them by specifying the dynamically link + On Linux and macOS, you can fix them by specifying the dynamically link version of bzip2. + +- name: "Prevent DoS by large str-int conversions" + slug: large-int-str-dos + cve: CVE-2020-10735 + gh: 95778 + links: + - "`pydantic potential DOS when loading malicious JSON `_ by Samuel Colvin (May 5, 2020)" + - "`Red Hat: CVE-2020-10735 `_" + - "LWN: `A Python security fix breaks (some) bignums `_ (September 14, 2022)" + - "`Python releases 3.10.7, 3.9.14, 3.8.14, and 3.7.14 are now available `_ (September 7, 2022)" + reported-at: "2020-05-05 (PSRT email)" + reported-by: "Larry Yuan" + fixed-in: + - '3.7': 15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2 + - '3.8': b5e331fdb38684808ffc540d53e8595bdc408b89 + - '3.9': cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15 + - '3.10': 8f0fa4bd10aba723aff988720cd26b93be99bc12 + - '3.11': f8b71da9aac6ea74808dcdd0cc266e705431356b + - '3.12': 511ca9452033ef95bc7d7fc404b8161068226002 + description: | + A Denial Of Service (DoS) issue was identified in CPython because we use + binary bignum's for our int implementation. A huge integer will always + consume a near-quadratic amount of CPU time in conversion to or from a base + 10 (decimal) string with a large number of digits. No efficient algorithm + exists to do otherwise. + + It is quite common for Python code implementing network protocols and data + serialization to do int(untrusted_string_or_bytes_value) on input to get a + numeric value, without having limited the input length or to do + ``log("processing thing id %s", unknowingly_huge_integer)`` or any similar + concept to convert an int to a string without first checking its magnitude. + (http, json, xmlrpc, logging, loading large values into integer via + linear-time conversions such as hexadecimal stored in yaml, or anything + computing larger values based on user controlled inputs… which then wind up + attempting to output as decimal later on). All of these can suffer a CPU + consuming DoS in the face of untrusted data. + + Everyone auditing all existing code for this, adding length guards, and + maintaining that practice everywhere is not feasible nor is it what we deem + the vast majority of our users want to do. + + This issue has been reported to the Python Security Response Team multiple + times by a few different people since early 2020, most recently a few weeks + ago while I was in the middle of polishing up the PR so it’d be ready + before 3.11.0rc2. + + After discussion on the Python Security Response Team mailing list the + conclusion was that we needed to limit the size of integer to string + conversions for non-linear time conversions (anything not a power-of-2 + base) by default. And offer the ability to configure or disable this limit. + + The fix adds ``PYTHONINTMAXSTRDIGITS=digits`` environment variable, ``-X + int_max_str_digits=digits`` command line option and + ``sys.set_int_max_str_digits(digits)`` function to configure the new limit. + Use a limit of ``0`` digits to disable the limit. The fix also adds + ``sys.get_int_max_str_digits()`` function and + ``sys.int_info.default_max_str_digits`` (compiled-in default limit) and + ``sys.int_info.str_digits_check_threshold`` (lowest accepted value for the + limit) variables + + The ``json.load()`` denial of service was first reported as a `public + pydantic issue `_ in May + 2020. Then it was reported to the Python Security Response Team by multiple + persons: + + * Larry Yuan (May 5, 2020) + * Tom Christie (May 6, 2020) via Sebastián Ramírez + * Mike Gagnon (August 3, 2022)