CVE-2020-10735

Publication date 9 September 2022

Last updated 24 July 2024


Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

7.5 · High

Score breakdown

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

From the Ubuntu Security Team

To avoid backwards-incompatible changes Ubuntu Security will not apply Python’s CVE-2020-10735 bugfix. Ubuntu Security does not consider int<->str conversion a security issue in Python. Rather, developers may introduce Denial of Service (DoS) vulnerabilities into their code by parsing unsanitized data with int<->str conversion. Developers using bignum integers are encouraged to consider specialized libraries, such as GMP. Using PyLong_FromString() in public APIs without an integer limit is strongly discouraged.

Read the notes from the security team

Status

Package Ubuntu Release Status
python 22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
python2.7 22.10 kinetic Ignored end of life, was ignored [change too intrusive]
22.04 LTS jammy Ignored change too intrusive
20.04 LTS focal Ignored change too intrusive
18.04 LTS bionic Ignored change too intrusive
16.04 LTS xenial Ignored change too intrusive
14.04 LTS trusty Ignored end of ESM support, was ignored [change too intrusive]
python3.10 22.10 kinetic Ignored end of life, was ignored [change too intrusive]
22.04 LTS jammy Ignored change too intrusive
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
python3.4 22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of ESM support, was ignored [change too intrusive]
python3.5 22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored change too intrusive
14.04 LTS trusty Ignored end of ESM support, was ignored [change too intrusive]
python3.6 22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored change too intrusive
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
python3.7 22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored change too intrusive
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
python3.8 22.04 LTS jammy Not in release
20.04 LTS focal Ignored change too intrusive
18.04 LTS bionic Ignored change too intrusive
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support
python3.9 22.04 LTS jammy Not in release
20.04 LTS focal Ignored change too intrusive
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support

Notes


alexmurray

The upstream patch for this issue now limits the input string for int() to 5000 digits - this is a breaking change but very unlikely to cause a regression since it is highly unlikely there is code handling such large numbers since as noted in the upstream commit, "total amount of protons in the observable universe is known as Eddington number. That number has 80 digits." - so 5000 digits out to be enough for anyone


eslerm

ongoing discourse on https://discuss.python.org LWN reports patch causes regressions

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H