Bug#988480: pydantic: CVE-2021-29510

Thu, 13 May 2021 13:33:16 -0700 

Source: pydantic
Version: 1.7.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for pydantic.

Note, strictly speaking the severity is slightly choosen inaproritate
for the type of security issue. Making it RC given pydantic is only in
testing and unstable, and a fix should go into bullseye before the
bullseye release.

CVE-2021-29510[0]:
| Pydantic is a data validation and settings management using Python
| type hinting. In affected versions passing either `'infinity'`,
| `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date`
| fields causes validation to run forever with 100% CPU usage (on one
| CPU). Pydantic has been patched with fixes available in the following
| versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on
| pypi(https://pypi.org/project/pydantic/#history), and will be
| available on conda-forge(https://anaconda.org/conda-forge/pydantic)
| soon. See the changelog(https://pydantic-docs.helpmanual.io/) for
| details. If you absolutely can't upgrade, you can work around this
| risk using a validator(https://pydantic-
| docs.helpmanual.io/usage/validators/) to catch these values. This is
| not an ideal solution (in particular you'll need a slightly different
| function for datetimes), instead of a hack like this you should
| upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and
| are unable to upgrade to a fixed version of pydantic, please create an
| issue at https://github.com/samuelcolvin/pydantic/issues requesting a
| back-port, and we will endeavour to release a patch for earlier
| versions of pydantic.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-29510
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29510
[1] 
https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
[2] 
https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468

Regards,
Salvatore

Reply via email to