Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGUWgD8-9ST3-hxOTY+Xar6S88uuydz=ods4k1vBQq_GXXahKg@mail.gmail.com>
Date: Wed, 21 Sep 2022 09:17:21 +0300
From: Georgi Guninski <gguninski@...il.com>
To: oss-security@...ts.openwall.com
Subject: big ints in python: CVE-2020-10735

There was recent discussion of big ints in python and libgmp.

https://docs.python.org/3.10/whatsnew/changelog.html#security

===
gh-95778: Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10
(decimal) now raises a ValueError if the number of digits in string
form is above a limit to avoid potential denial of service attacks due
to the algorithmic complexity. This is a mitigation for CVE-2020-10735
====

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735
===
In algorithms with quadratic time complexity using non-binary bases ...
The highest threat from this vulnerability is to system availability.
===

AFAICT the quadratic complexity is quadratic in the size of the int,
that is its logarithm.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.