Slow IDNA decoding with large strings [CVE-2022-45061] #98433

guidovranken · 2022-10-19T06:12:24Z

Bug report

Originally reported to the security address on September 9.

('xn--016c'+'a'*5000).encode('utf-8').decode('idna')

The execution time is not linear in relation to the input string size, which can cause slowness with large inputs:

10 chars = 0.016 seconds
100 chars = 0.047 seconds
1000 chars = 2.883 seconds
2500 chars = 17.724 seconds
5000 chars = 1 min 10 seconds

Comment by @tiran:

According to spec https://unicode.org/reports/tr46/ an IDNA label must not be longer than 63 characters. Python's idna module enforces the restriction, but too late.

This may be abused in some cases, for example by passing a crafted host name to asyncio create_connection:

import asyncio

async def main():
    loop = asyncio.get_running_loop()

    await loop.create_connection(
        lambda: [], ('xn--016c'+'a'*5000).encode('utf-8'), 443
    )

asyncio.run(main())

Your environment

CPython versions tested on: CPython repository 'main' branch checkout, version 3.8.12, version 2.7.18
Operating system and architecture: Ubuntu Linux x64

PR: gh-98433: Fix quadratic time idna decoding. #99092

PR: [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) #99222

PR: [3.10] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99229

PR: [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99230

PR: [3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99231

PR: [3.7] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99232

The text was updated successfully, but these errors were encountered:

gpshead · 2022-11-04T06:42:30Z

This is probably in ToUnicode and ToASCII of https://github.com/python/cpython/blob/main/Lib/encodings/idna.py and/or in https://github.com/python/cpython/blob/main/Lib/encodings/punycode.py itself, where we could presumably just do an up front length check and reject inputs that are obviously too long to possibly decode into a label length that DNS standards will accept.

If there are libraries that allow an attacker controlled hostname without a reasonable length check on it to get into a connect or similar call that tries idna decoding, that'd make this remotely exploitable. Based solely on code inspection, the urllib.request.HTTPRedirectHandler class is probably vulnerable to this - https://github.com/python/cpython/blob/main/Lib/urllib/request.py#L652 - the location or uri headers it consumes on a HTTP 302 redirect reponse to construct the new URL are not obviously limited, nor is the host that ultimately winds it way down into the socket module. (I didn't test this, I was just reading code) A test case would be to point urllib at a malicious server that sends a 2000 byte idna hostname in a 302 redirect header...

vstinner · 2022-11-04T09:13:30Z

The issue #99083 was marked as a duplicate of this issue.

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. An early length check would still be a good idea given that DNS IDNA label names cannot be more than 63 ASCII characters.

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. This also adds an early length check in IDNA decoding to outright reject huge inputs early on given the ultimate result is defined to be 63 or fewer characters.

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. This also adds an early length check in IDNA decoding to outright reject huge inputs early on given the ultimate result is defined to be 63 or fewer characters. (cherry picked from commit d315722) Co-authored-by: Gregory P. Smith <greg@krypto.org>

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) Co-authored-by: Gregory P. Smith <greg@krypto.org>

) (pythonGH-99222) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

gpshead · 2022-11-09T06:39:44Z

PRs are either merged or will be merged before the next release (marked as release-blockers) so I'm closing this.

A CVE id has been assigned CVE-2022-45061 for tracking purposes.

vstinner · 2022-11-09T10:50:40Z

I created https://python-security.readthedocs.io/vuln/slow-idna-large-strings.html to track this vulnerability. The fix is not merged into 3.8 and 3.9 branches yet.

… (GH-99231) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

… (#99230) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

Fix CVE-2022-45061, referenced as python/cpython#98433 patch taken from python/cpython@064ec20 Signed-off-by: Omkar <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Fix CVE-2022-45061, referenced as python/cpython#98433 patch taken from python/cpython@064ec20 (From OE-Core rev: 4498ca9a299bd5d9a7173ec67daf17cb66b6d286) Signed-off-by: Omkar <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Source: poky MR: 123948, 123690 Type: Security Fix Disposition: Merged from poky ChangeID: 124e5c83914ea141f93c28f054d9b53babf1c6ea Description: Fix CVE-2022-45061, referenced as python/cpython#98433 patch taken from python/cpython@064ec20 (From OE-Core rev: 4498ca9a299bd5d9a7173ec67daf17cb66b6d286) Signed-off-by: Omkar <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>

…oder pythongh-98433: Fix quadratic time idna decoding. There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…er.patch 00394 # pythongh-98433: Fix quadratic time idna decoding. There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. Backported from python3. (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…oder pythongh-98433: Fix quadratic time idna decoding. There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

guidovranken added the type-bug An unexpected behavior, bug, or error label Oct 19, 2022

pochmann mentioned this issue Nov 4, 2022

Exponential IDNA codec decoding potential denial of service #99083

Closed

gpshead added type-security A security issue 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.8 (EOL) end of life 3.12 bugs and security fixes labels Nov 4, 2022

bedevere-bot mentioned this issue Nov 4, 2022

gh-98433: Fix quadratic time idna decoding. #99092

Merged

2 tasks

bedevere-bot mentioned this issue Nov 8, 2022

[3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) #99222

Merged

This was referenced Nov 8, 2022

[3.10] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99229

Merged

[3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99230

Merged

This was referenced Nov 8, 2022

[3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99231

Merged

[3.7] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99232

Merged

gpshead added the 3.7 (EOL) end of life label Nov 8, 2022

gpshead closed this as completed Nov 9, 2022

gpshead changed the title ~~Slow IDNA decoding with large strings~~ Slow IDNA decoding with large strings [CVE-2022-45061] Nov 9, 2022

hbeberman mentioned this issue Dec 7, 2022

Patch python3 for CVE-2022-45061 microsoft/azurelinux#4379

Merged

12 tasks

MingcongBai mentioned this issue Dec 13, 2022

python-3: update to 3.10.9 AOSC-Dev/aosc-os-abbs#4337

Closed

stratakis mentioned this issue Dec 19, 2022

00394: CVE-2022-45061: CPU denial of service via inefficient IDNA decoder fedora-python/cpython#52

Merged

stratakis mentioned this issue Dec 19, 2022

00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch fedora-python/cpython#53

Merged

guidovranken mentioned this issue Jul 17, 2024

deleted #121906

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Slow IDNA decoding with large strings [CVE-2022-45061] #98433

Slow IDNA decoding with large strings [CVE-2022-45061] #98433

guidovranken commented Oct 19, 2022 •

edited by bedevere-bot

Loading

gpshead commented Nov 4, 2022

vstinner commented Nov 4, 2022

gpshead commented Nov 9, 2022

vstinner commented Nov 9, 2022

Slow IDNA decoding with large strings [CVE-2022-45061] #98433

Slow IDNA decoding with large strings [CVE-2022-45061] #98433

Comments

guidovranken commented Oct 19, 2022 • edited by bedevere-bot Loading

Bug report

Your environment

gpshead commented Nov 4, 2022

vstinner commented Nov 4, 2022

gpshead commented Nov 9, 2022

vstinner commented Nov 9, 2022

guidovranken commented Oct 19, 2022 •

edited by bedevere-bot

Loading