Описание
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python3.13 | unfixed | package | ||
| python3.12 | unfixed | package | ||
| python3.11 | removed | package | ||
| python3.11 | no-dsa | bookworm | package | |
| python3.9 | removed | package | ||
| python2.7 | removed | package | ||
| python2.7 | end-of-life | bullseye | package | |
| jython | unfixed | package | ||
| jython | no-dsa | bookworm | package | |
| jython | end-of-life | bullseye | package |
Примечания
https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/
https://github.com/python/cpython/issues/135462
https://github.com/python/cpython/pull/135464
https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41 (main)
https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b (v3.14.0b3)
https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949 (3.13-branch)
Связанные уязвимости
A denial-of-service (DoS) vulnerability has been discovered in Python's html.parser.HTMLParser class. When processing specially malformed HTML input, the parsing runtime can become quadratic with respect to the input size. This significantly increased processing time can lead to excessive resource consumption, ultimately causing a denial-of-service condition in applications that rely on this parser.
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.