[3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() by gpshead · Pull Request #96501 · python/cpython

gpshead

Integer to and from text conversions via CPython's bignum int type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports #96499 aka 511ca94

Signed-off-by: Christian Heimes [Red Hat] christian@python.org
Tons-of-polishing-up-by: Gregory P. Smith [Google] greg@krypto.org
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

Issue: CVE-2020-10735: Prevent DoS by large int<->str conversions #95778

I wrote up a one pager for the release managers.