Skip to content

IPv6 address parsing doesn't limit buffer size #128840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sethmlarson opened this issue Jan 14, 2025 · 7 comments
Closed

IPv6 address parsing doesn't limit buffer size #128840

sethmlarson opened this issue Jan 14, 2025 · 7 comments
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jan 14, 2025

Bug report

Bug description:

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length. Similar issue to django/django@ca2be77

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

@sethmlarson sethmlarson added type-bug An unexpected behavior, bug, or error type-security A security issue labels Jan 14, 2025
@picnixz picnixz added the stdlib Python modules in the Lib dir label Jan 14, 2025
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Jan 14, 2025
@serhiy-storchaka
Copy link
Member

I do not think this is a security issue.

gpshead added a commit that referenced this issue May 24, 2025
GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------

Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
gpshead added a commit that referenced this issue May 24, 2025
…H-128841) (#134610)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
gpshead added a commit that referenced this issue May 24, 2025
…H-128841) (#134611)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Yhg1s pushed a commit that referenced this issue May 26, 2025
…H-128841) (#134612)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@frenzymadness
Copy link
Contributor

Are you sure the fix for the issue is backward-compatible? It seems to me that addresses like 1111:2222:3333:4444:5555:6666:255.255.255.255 are now rejected even they are valid as far as I know. Embedding of an IPv4 address into an IPv6 address is an established standard.

@frenzymadness
Copy link
Contributor

Python 3.13:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
>>> addr
IPv6Address('1111:2222:3333:4444:5555:6666:ffff:ffff')

Python 3.14 beta 2:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
Traceback (most recent call last):
  File "<python-input-7>", line 1, in <module>
    addr = ipaddress.IPv6Address(domain_literal)
  File "/usr/lib64/python3.14/ipaddress.py", line 1952, in __init__
    self._ip = self._ip_int_from_string(addr_str)
               ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib64/python3.14/ipaddress.py", line 1666, in _ip_int_from_string
    raise AddressValueError(msg)
ipaddress.AddressValueError: At most 39 characters expected in '1111:2222:3333'(17 chars elided)'55.255.255.255'

@hroncok
Copy link
Contributor

hroncok commented May 28, 2025

I'd like to ensure this is resolved before it is released in 3.13.4 and 3.12.11 as a (potential) regression. cc @Yhg1s

@gpshead
Copy link
Member

gpshead commented May 28, 2025

Good catch and thank you for the fixes!

gpshead pushed a commit that referenced this issue May 28, 2025
…address (GH-134836) (#134846)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
gpshead pushed a commit that referenced this issue May 28, 2025
…address (GH-134836) (#134845)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…H-128841) (GH-134613)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…H-128841) (GH-134614)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…H-128841) (GH-134615)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…address (GH-134836) (GH-135089)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…address (GH-134836) (GH-135091)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv added a commit that referenced this issue Jun 3, 2025
…address (GH-134836) (GH-134847)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Łukasz Langa <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
…ddress (GH-134836) (GH-135090)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
@ambv ambv closed this as completed Jun 3, 2025
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
Updating ipaddress to allow fixing the referenced bug and
almost-security issue with it.

References: bsc#1244401
References: gh#python#128840
From-PR: gh#phihag/ipaddress!60
Patch: ipaddress-update-pr60.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
IPv6 addresses have a maximum length (8 colon-separated parts)
but the current implementation doesn't limit the length.

Fixes: bsc#1244401
Fixes: gh#python#128840
References: CVE-2024-56374
From-PR: gh#python/cpython!135090
Patch: gh-128840_parse-IPv6-with-emb-IPv4.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
Updating ipaddress to allow fixing the referenced bug and
almost-security issue with it.

References: bsc#1244401
References: gh#python#128840
Depends-on: gh#openSUSE-Python/cpython@4f2496b (2024-12-02)
Depends-on: gh#openSUSE-Python/cpython@2976e94 (2024-07-27)
From-PR: gh#phihag/ipaddress!60
Patch: ipaddress-update-pr60.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
IPv6 addresses have a maximum length (8 colon-separated parts)
but the current implementation doesn't limit the length.

Fixes: bsc#1244401
Fixes: gh#python#128840
References: CVE-2024-56374
From-PR: gh#python/cpython!135090
Patch: gh-128840_parse-IPv6-with-emb-IPv4.patch
@mcepl
Copy link
Contributor

mcepl commented Jun 14, 2025

Backport of fix for this bug to Python 3.6 including rebasing ipaddress to the 3.8-level using code from phihag/ipaddress#60 is available for review in the branch https://github.com/openSUSE-Python/cpython/tree/opensuse_3.6_gh-128840_parse-IPv6-with-emb-IPv4

If anybody is interested in review or comments, I would love to hear from you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Development

No branches or pull requests

8 participants