[maintenance] Help with porting fix for CVE-2020-10735 on 3.6 (and possibly even 2.7)

(this is my first post here, I am sorry if it is in a wrong subsection, please, point me in the right direction, if it is the case).


I am working on porting the CVE-2020-10735 (that controversial int->str conversion thingy) to Python 3.6 for SUSE Enterprise Linux and currently I have https://mcepl.fedorapeople.org/tmp/CVE-2020-10735-DoS-no-limit-int-size.patch (or branch GitHub - mcepl/cpython at CVE-2020-10735-port-patch-3.6).

Obviously, the biggest problem I have is that the startup sequence was completely rewritten in 3.7, so I had to rearrange things quite a lot, and probably I have missed something (nobody ever would accuse me of being a seasoned C programmer). The simplest test doesn’t work:

> ./python -X faulthandler -X int_max_str_digits=7000 -c 'import sys;print(sys.flags.int_max_str_digits, sys.get_int_max_str_digits())'
-1 4300

So, I pulled out gdb, but the result was quite confusing: SUSE Paste … this jumping out of the function after that PyDECREF is absolutely predictable, it happened in three of three situations. Is there some threading thing going on? Or what else?

Also, even when (when trying with setting the environmental variable PYTHONINTMAXSTRDIGITS) the global variable _Py_global_config_int_max_str_digits is set, the function still won’t finish right (breaks in the same place), and the value of sys.flags.int_max_str_digits is still -1 and sys.get_int_max_str_digits() still returns 4300.

Anybody any suggestions, how to continue?

Thank you for any suggestions,


Hi, are you aware that I backported the change to Python 3.6 in Fedora? My commit is public: 00387: CVE-2020-10735: Prevent DoS by very large int() · fedora-python/cpython@31cfb69 · GitHub

Of course not. I will certainly use it.

Still, any idea, why gdb decided to hate me?

Thank you very much.

1 Like

I try to only use gdb on Python built with -O0: see Debugging Python C extensions with GDB | Red Hat Developer