Skip to content

IPv6 address parsing doesn't limit buffer size #128840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sethmlarson opened this issue Jan 14, 2025 · 7 comments
Closed

IPv6 address parsing doesn't limit buffer size #128840

sethmlarson opened this issue Jan 14, 2025 · 7 comments
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jan 14, 2025
edited by bedevere-app bot
Loading

Bug report

Bug description:

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length. Similar issue to django/django@ca2be77

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@sethmlarson sethmlarson added type-bug An unexpected behavior, bug, or error type-security A security issue labels Jan 14, 2025
@picnixz picnixz added the stdlib Python modules in the Lib dir label Jan 14, 2025
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Jan 14, 2025
@sethmlarson
pythonGH-128840: Limit the number of parts in IPv6 address parsing
115bec4
@sethmlarson sethmlarson mentioned this issue Jan 14, 2025
Merged
@serhiy-storchaka
Copy link
Member

I do not think this is a security issue.

gpshead added a commit that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead
gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)
47f1161 
GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------

Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
c2885f9 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
67fabcd 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
9984c3a 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
d575c30 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
bb72b92 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
ea823ab 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
gpshead added a commit that referenced this issue May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.14] gh-128840: Limit the number of parts in IPv6 address parsing (G…
576177d 
…H-128841) (#134610)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
gpshead added a commit that referenced this issue May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.13] gh-128840: Limit the number of parts in IPv6 address parsing (G…
2e30341 
…H-128841) (#134611)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Yhg1s pushed a commit that referenced this issue May 26, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.12] gh-128840: Limit the number of parts in IPv6 address parsing (G…
d4cf1fa 
…H-128841) (#134612)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@frenzymadness
Copy link
Contributor

Are you sure the fix for the issue is backward-compatible? It seems to me that addresses like 1111:2222:3333:4444:5555:6666:255.255.255.255 are now rejected even they are valid as far as I know. Embedding of an IPv4 address into an IPv6 address is an established standard.

@frenzymadness
Copy link
Contributor

Python 3.13:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
>>> addr
IPv6Address('1111:2222:3333:4444:5555:6666:ffff:ffff')

Python 3.14 beta 2:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
Traceback (most recent call last):
  File "<python-input-7>", line 1, in <module>
    addr = ipaddress.IPv6Address(domain_literal)
  File "/usr/lib64/python3.14/ipaddress.py", line 1952, in __init__
    self._ip = self._ip_int_from_string(addr_str)
               ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib64/python3.14/ipaddress.py", line 1666, in _ip_int_from_string
    raise AddressValueError(msg)
ipaddress.AddressValueError: At most 39 characters expected in '1111:2222:3333'(17 chars elided)'55.255.255.255'

@hroncok
Copy link
Contributor

hroncok commented May 28, 2025
edited
Loading

I'd like to ensure this is resolved before it is released in 3.13.4 and 3.12.11 as a (potential) regression. cc @Yhg1s

serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue May 28, 2025
@serhiy-storchaka
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
9ae42bf 
…ddress
@bedevere-app bedevere-app bot mentioned this issue May 28, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 28, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
e32d762 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
This was referenced May 28, 2025
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 28, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
427311c 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue May 28, 2025
Merged
@gpshead
Copy link
Member

gpshead commented May 28, 2025

Good catch and thank you for the fixes!

gpshead pushed a commit that referenced this issue May 28, 2025
@miss-islington @serhiy-storchaka
[3.13] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
a0287bf 
…address (GH-134836) (#134846)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
gpshead pushed a commit that referenced this issue May 28, 2025
@miss-islington @serhiy-storchaka
[3.14] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
2440449 
…address (GH-134836) (#134845)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.11] gh-128840: Limit the number of parts in IPv6 address parsing (G…
da37555 
…H-128841) (GH-134613)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.10] gh-128840: Limit the number of parts in IPv6 address parsing (G…
c0e2658 
…H-128841) (GH-134614)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.9] gh-128840: Limit the number of parts in IPv6 address parsing (G…
78394a6 
…H-128841) (GH-134615)

Limit length of IP address string to 39

(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
1a36a08 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
c685992 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 3, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
96d5d9e 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
This was referenced Jun 3, 2025
Merged
Merged
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @serhiy-storchaka
[3.10] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
c71ea4b 
…address (GH-134836) (GH-135089)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @serhiy-storchaka
[3.11] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
2c6ca1a 
…address (GH-134836) (GH-135091)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
ambv added a commit that referenced this issue Jun 3, 2025
@miss-islington @serhiy-storchaka @ambv
[3.12] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
fcf3ea0 
…address (GH-134836) (GH-134847)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Łukasz Langa <[email protected]>
ambv pushed a commit that referenced this issue Jun 3, 2025
@miss-islington @serhiy-storchaka
[3.9] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
24eaf53 
…ddress (GH-134836) (GH-135090)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
@ambv ambv closed this as completed Jun 3, 2025
@xry111 xry111 mentioned this issue Jun 4, 2025
Closed
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
@mcepl
update ipaddress to 3.8 equivalent
31f68e6 
Updating ipaddress to allow fixing the referenced bug and
almost-security issue with it.

References: bsc#1244401
References: gh#python#128840
From-PR: gh#phihag/ipaddress!60
Patch: ipaddress-update-pr60.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
@mcepl
limit parsing long IPv6 address
da99ed4 
IPv6 addresses have a maximum length (8 colon-separated parts)
but the current implementation doesn't limit the length.

Fixes: bsc#1244401
Fixes: gh#python#128840
References: CVE-2024-56374
From-PR: gh#python/cpython!135090
Patch: gh-128840_parse-IPv6-with-emb-IPv4.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
@mcepl
update ipaddress to 3.8 equivalent
ed95e09 
Updating ipaddress to allow fixing the referenced bug and
almost-security issue with it.

References: bsc#1244401
References: gh#python#128840
Depends-on: gh#openSUSE-Python/cpython@4f2496b (2024-12-02)
Depends-on: gh#openSUSE-Python/cpython@2976e94 (2024-07-27)
From-PR: gh#phihag/ipaddress!60
Patch: ipaddress-update-pr60.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Jun 14, 2025
@mcepl
limit parsing long IPv6 address
7e4d49a 
IPv6 addresses have a maximum length (8 colon-separated parts)
but the current implementation doesn't limit the length.

Fixes: bsc#1244401
Fixes: gh#python#128840
References: CVE-2024-56374
From-PR: gh#python/cpython!135090
Patch: gh-128840_parse-IPv6-with-emb-IPv4.patch
@mcepl
Copy link
Contributor

mcepl commented Jun 14, 2025

Backport of fix for this bug to Python 3.6 including rebasing ipaddress to the 3.8-level using code from phihag/ipaddress#60 is available for review in the branch https://github.com/openSUSE-Python/cpython/tree/opensuse_3.6_gh-128840_parse-IPv6-with-emb-IPv4

If anybody is interested in review or comments, I would love to hear from you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Done
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ambv @gpshead @mcepl @hroncok @serhiy-storchaka @frenzymadness @picnixz @sethmlarson