Date: Wed, 21 Sep 2022 09:17:21 +0300 From: Georgi Guninski <gguninski@...il.com> To: oss-security@...ts.openwall.com Subject: big ints in python: CVE-2020-10735 There was recent discussion of big ints in python and libgmp. https://docs.python.org/3.10/whatsnew/changelog.html#security === gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 ==== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735 === In algorithms with quadratic time complexity using non-binary bases ... The highest threat from this vulnerability is to system availability. === AFAICT the quadratic complexity is quadratic in the size of the int, that is its logarithm.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.