oss-sec mailing list archives
big ints in python: CVE-2020-10735
From: Georgi Guninski <gguninski () gmail com>
Date: Wed, 21 Sep 2022 09:17:21 +0300
There was recent discussion of big ints in python and libgmp. https://docs.python.org/3.10/whatsnew/changelog.html#security === gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 ==== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735 === In algorithms with quadratic time complexity using non-binary bases ... The highest threat from this vulnerability is to system availability. === AFAICT the quadratic complexity is quadratic in the size of the int, that is its logarithm.
Current thread:
- big ints in python: CVE-2020-10735 Georgi Guninski (Sep 21)
- Re: big ints in python: CVE-2020-10735 Demi Marie Obenour (Sep 21)