Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||adev88, aileenc, akurtako, alee, amcnabb, bgollahe, bkabrda, bleanhar, briang, carnil, ccoleman, cdewolf, cperry, dandread, darran.lofthouse, derks, dmalcolm, dmcphers, drieden, extras-orphan, fdc, grocha, gvarsami, ivazqueznet, jason.greene, jawilson, jbpapp-maint, jcoleman, jdetiber, jeffrey.ness, jialiu, jkeck, jkurik, jmatthew, jokerman, jonathansteffan, jorton, kanderso, katzj, kconner, kroberts, kseifried, ldimaggi, lgao, lkundrak, lmeyer, mmaslano, mmccomas, mmcgrath, mmraka, mstuchli, myarboro, ncoghlan, nwallace, pavelp, pgier, pmackinn, pslavice, python-maint, rkuska, rsvoboda, rwagner, soa-p-jira, tcunning, tdawson, tjay, tkirby, tomspur, tradej, vkrizan, vtunka|
|Fixed In Version:||python 3.2.6, python 3.3.4, python 3.4.0||Doc Type:||Bug Fix|
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
|Last Closed:||2015-11-20 10:34:07 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1159202, 1159200, 1159201, 1159203, 1168230, 1168231, 1187779, 1206572, 1206574|
|Bug Blocks:||1046175, 1210268|
Description Vincent Danen 2013-12-23 18:30:32 EST
Multiple denial of service flaws were reported against various parts of Python's stdlib: * httplib  (fixed in 2.7.4 , 2.6.9 , and 3.3.3 ) * ftplib  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * imaplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * nntplib  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * poplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * smtplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , not yet fixed in 3.3.x) Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions). So this will likely require MITRE to detangle.  http://bugs.python.org/issue16037  http://hg.python.org/cpython/rev/8a22a2804a66/  http://hg.python.org/cpython/rev/582e5072ff89  http://hg.python.org/cpython/rev/e445d02e5306/  http://bugs.python.org/issue16038  http://hg.python.org/cpython/rev/44ac81e6d584/  http://hg.python.org/cpython/rev/8b19e7d0be45/  http://hg.python.org/cpython/rev/38db4d0726bd/  http://bugs.python.org/issue16039  http://hg.python.org/cpython/rev/4190568ceda0/  http://hg.python.org/cpython/rev/4b0364fc5711/  http://bugs.python.org/issue16040  http://hg.python.org/cpython/rev/36680a7c0e22/  http://hg.python.org/cpython/rev/731abf7834c4/  http://hg.python.org/cpython/rev/fc88bd80d925/  http://bugs.python.org/issue16041  http://hg.python.org/cpython/rev/7214e3324a45/  http://hg.python.org/cpython/rev/68029048c9c6/  http://bugs.python.org/issue16042  http://hg.python.org/cpython/rev/8a6def3add5b/
Comment 1 Tomas Hoger 2014-10-30 16:35:01 EDT
* httplib There are actually two separate issues for httplib under this CVE. The first issue was originally reported in the following upstream bug: http://bugs.python.org/issue6791 This bug covers use of readline() without size limit, which can lead to excessive memory usage if a malicious or broken HTTP server sends excessively long lines without any line breaks. Issue was addressed upstream in the following commit: https://hg.python.org/cpython/rev/0b94635ed2f6 and backported to 2.7 and 3.1 branches: 2.7 https://hg.python.org/cpython/rev/965314f12f71 3.1 https://hg.python.org/cpython/rev/3c182f71d4c9 This fix was never backported to 2.6 branch upstream. Mentioned backports to 2.7 and 3.1 missed one readline() call in _read_status(). This is one of the problems covered by the upstream bug: http://bugs.python.org/issue16037 The missed call was corrected in 2.7 branch in the following commit: 2.7 https://hg.python.org/cpython/rev/8a22a2804a66 The second issue in the upstream issue16037 is the lack of restriction on the number of HTTP headers server can send. This issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3 branches: 2.6 https://hg.python.org/cpython/rev/582e5072ff89 2.7 https://hg.python.org/cpython/rev/5e310c6a8520 3.3 https://hg.python.org/cpython/rev/e445d02e5306 Patches limit the number of headers to 100. Exception is raised if server sends more headers.
Comment 2 Tomas Hoger 2014-10-30 16:42:41 EDT
* ftplib Upstream bug is: http://bugs.python.org/issue16038 This issue is similar to the unlimited readline() use in httplib, as described in comment 1. Issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3. 2.6 https://hg.python.org/cpython/rev/8b19e7d0be45 2.7 https://hg.python.org/cpython/rev/44ac81e6d584 3.3 https://hg.python.org/cpython/rev/38db4d0726bd
Comment 3 Tomas Hoger 2014-10-30 16:48:37 EDT
* imaplib Upstream bug is: http://bugs.python.org/issue16039 Another case of unlimited readline(), imaplib in this case. Fixed upstream in 2.6, 2.7, 3.2 and 3.3: 2.6 https://hg.python.org/cpython/rev/4190568ceda0 2.7 https://hg.python.org/cpython/rev/dd906f4ab923 3.3 https://hg.python.org/cpython/rev/4b0364fc5711
Comment 4 Tomas Hoger 2014-10-30 17:58:28 EDT
* nntplib Upstream bug is: http://bugs.python.org/issue16040 Another unlimited readline(), fixed upstream in 2.6, 2.7, 3.2 and 3.3: 2.6 https://hg.python.org/cpython/rev/731abf7834c4 2.7 https://hg.python.org/cpython/rev/36680a7c0e22 3.3 https://hg.python.org/cpython/rev/fc88bd80d925
Comment 5 Tomas Hoger 2014-10-30 18:01:46 EDT
* poplib Upstream bug is: http://bugs.python.org/issue16041 Another unlimited readline(). Fixed upstream in 2.6, 3.2 and 3.3. 2.7 is still unfixed upstream. 2.6 https://hg.python.org/cpython/rev/7214e3324a45 3.3 https://hg.python.org/cpython/rev/68029048c9c6
Comment 6 Tomas Hoger 2014-10-30 18:06:05 EDT
* smtplib Upstream bug is: http://bugs.python.org/issue16042 Similar to the poplib, this was fixed upstream in 2.6, 3.2 and 3.3, but remains unfixed in 2.7 to date. 2.6 https://hg.python.org/cpython/rev/8a6def3add5b 3.3 https://hg.python.org/cpython/rev/d62a67318023
Comment 7 Tomas Hoger 2014-10-30 18:22:59 EDT
All issues are listed as fixed in python 2.6.9. However, as noted in comment 1, httplib unlimited readline() was never fixed in 2.6. https://www.python.org/download/releases/2.6.9/ Status for the 2.7 upstream is: - 2.7.4 - fixed httplib _read_status() readline - 2.7.6 - ftplib and nntplib - 2.7.7 - imaplib - upcoming 2.7.9 - should add httplib header limit - poplib and smtplib are unfixed in 2.7 branch in upstream mercurial Status for 3.3 is: - 3.3.3 - httplib header limit, ftplib, imaplib, nntplib, poplib - 3.3.4 - smtplib 3.2 has all fixes applied in upstream version 3.2.6.
Comment 8 Tomas Hoger 2014-10-31 04:11:20 EDT
Fedora status: - python - using 2.7.5, hence affected by most issues - python/rawhide - using 2.7.8, missing httplib, poplib and smtplib - python3 - using 3.3.2, hence affected by most issues - python3/rawhide - using 3.4.1, all issues fixed
Comment 9 Tomas Hoger 2014-10-31 04:15:24 EDT
Affected modules are also part of Jython standard library. Looking at the upstream repositories, only httplib readline issue is fixed in upcoming 2.7 version. No issue is fixed in 2.2 or 2.5 branches.
Comment 10 Tomas Hoger 2014-10-31 04:27:56 EDT
Created python tracking bugs for this issue: Affects: fedora-all [bug 1159200]
Comment 11 Tomas Hoger 2014-10-31 04:28:02 EDT
Created jython tracking bugs for this issue: Affects: fedora-all [bug 1159201] Affects: epel-7 [bug 1159202] Affects: epel-5 [bug 1159203]
Comment 13 Pavel Polischouk 2014-10-31 11:22:53 EDT
Statement: Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 14 Tomas Hoger 2014-11-26 08:14:16 EST
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1168230]
Comment 15 Tomas Hoger 2014-11-26 08:14:53 EST
Created python26 tracking bugs for this issue: Affects: epel-5 [bug 1168231]
Comment 19 Fedora Update System 2015-04-18 05:42:54 EDT
python-2.7.8-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-04-21 15:25:24 EDT
jnr-posix-3.0.9-3.fc22, jline-2.12.1-1.fc22, jython-2.7-0.7.rc2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2015-04-22 18:41:43 EDT
python-2.7.5-16.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2015-06-04 04:29:40 EDT
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 23 errata-xmlrpc 2015-07-22 02:39:22 EDT
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html