Integer to and from text conversions via CPython's bignum int type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

Signed-off-by: Christian Heimes [Red Hat] christian@python.org
Tons-of-polishing-up-by: Gregory P. Smith [Google] greg@krypto.org
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

• Issue: CVE-2020-10735: Prevent DoS by large int<->str conversions #95778

I wrote up a one pager for the release managers. Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.

Further Discussion

... is taking place in discuss.python.org threads

remaining TODOs (aka project management)

• After this ships: file a follow-up issue to move int_max_str_digits into PyConfig in 3.12.
• After this ships: file a feature request to add PySys_Audit hook calls at the new ValueError raise spots.
• If this ships in 3.11rc2: file an issue to update the version notes about it in the 3.12 docs to say 3.11 and remove the 3.12 whatsnew text.
• The above are tracked in main branch code cleanups for int_max_str_digits non-backportable TODOs #96512.
• RedHat's CNA reserved that CVE number, they control interaction and coordination with MITRE on marking it public and assigning the score. - @tiran
• assign CVSS score
  • Assuming worst case, we they'll likely assign CVSS score 7.5 (High) to the issue, https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1