[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2022 09:17:21 +0300
From: Georgi Guninski <gguninski@...il.com>
To: oss-security@...ts.openwall.com
Subject: big ints in python: CVE-2020-10735
There was recent discussion of big ints in python and libgmp.
https://docs.python.org/3.10/whatsnew/changelog.html#security
===
gh-95778: Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10
(decimal) now raises a ValueError if the number of digits in string
form is above a limit to avoid potential denial of service attacks due
to the algorithmic complexity. This is a mitigation for CVE-2020-10735
====
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735
===
In algorithms with quadratic time complexity using non-binary bases ...
The highest threat from this vulnerability is to system availability.
===
AFAICT the quadratic complexity is quadratic in the size of the int,
that is its logarithm.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
