Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-10735
HistorySep 09, 2022 - 12:00 a.m.

CVE-2020-10735

2022-09-0900:00:00
ubuntu.com
ubuntu.com
25
python
vulnerability
system availability
integer parsing

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.006

Percentile

77.9%

A flaw was found in python. In algorithms with quadratic time complexity
using non-binary bases, when using int(“text”), a system could take 50ms to
parse an int string with 100,000 digits and 5s for 1,000,000 digits (float,
decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32
are not affected). The highest threat from this vulnerability is to system
availability.

Bugs

Notes

Author Note
alexmurray The upstream patch for this issue now limits the input string for int() to 5000 digits - this is a breaking change but very unlikely to cause a regression since it is highly unlikely there is code handling such large numbers since as noted in the upstream commit, “total amount of protons in the observable universe is known as Eddington number. That number has 80 digits.” - so 5000 digits out to be enough for anyone
eslerm ongoing discourse on https://discuss.python.org LWN reports patch causes regressions

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.006

Percentile

77.9%