Bug 1046174 (CVE-2013-1752)

Summary: CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, aileenc, akurtako, alee, amcnabb, bgollahe, bkabrda, bleanhar, briang, carnil, ccoleman, cdewolf, cperry, dandread, darran.lofthouse, derks, dmalcolm, dmcphers, drieden, extras-orphan, fdc, grocha, gvarsami, ivazqueznet, jason.greene, jawilson, jbpapp-maint, jcoleman, jdetiber, jeffrey.ness, jialiu, jkeck, jkurik, jmatthew, jokerman, jonathansteffan, jorton, kanderso, katzj, kconner, kroberts, kseifried, ldimaggi, lgao, lkundrak, lmeyer, mmaslano, mmccomas, mmcgrath, mmraka, mstuchli, myarboro, ncoghlan, nwallace, pavelp, pgier, pmackinn, pslavice, python-maint, rkuska, rsvoboda, rwagner, soa-p-jira, tcunning, tdawson, tjay, tkirby, tomspur, tradej, vkrizan, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120925,reported=20121220,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,cwe=CWE-400,rhel-5/python=wontfix,rhel-6/python=affected,rhel-7/python=affected,rhscl-1/python27-python=affected,rhscl-2/python33-python=wontfix,rhscl-2/rh-python34-python=notaffected,fedora-all/python=affected,fedora-all/python3=affected,epel-5/python26=affected,rhel-6/jython=wontfix,openshift-enterprise-2/jython=wontfix,rhn_satellite_5.4/jython=wontfix,rhn_satellite_5.5/jython=wontfix,eap-6/jython-eap6=notaffected,soap-4.3/jython=wontfix,soap-5/jython=wontfix,fedora-all/jython=affected,epel-7/jython=affected,epel-5/jython=affected,rhel-5/redhat-support-lib-python=wontfix,rhel-6/redhat-support-lib-python=wontfix,rhel-7/redhat-support-lib-python=wontfix
Fixed In Version: python 3.2.6, python 3.3.4, python 3.4.0 Doc Type: Bug Fix
Doc Text:
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 10:34:07 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1159202, 1159200, 1159201, 1159203, 1168230, 1168231, 1187779, 1206572, 1206574    
Bug Blocks: 1046175, 1210268    

Description Vincent Danen 2013-12-23 18:30:32 EST
Multiple denial of service flaws were reported against various parts of Python's stdlib:

* httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4])
* ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8])
* imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11])
* nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15])
* poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18])
* smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x)

Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions).  So this will likely require MITRE to detangle.

[1] http://bugs.python.org/issue16037
[2] http://hg.python.org/cpython/rev/8a22a2804a66/
[3] http://hg.python.org/cpython/rev/582e5072ff89
[4] http://hg.python.org/cpython/rev/e445d02e5306/
[5] http://bugs.python.org/issue16038
[6] http://hg.python.org/cpython/rev/44ac81e6d584/
[7] http://hg.python.org/cpython/rev/8b19e7d0be45/
[8] http://hg.python.org/cpython/rev/38db4d0726bd/
[9] http://bugs.python.org/issue16039
[10] http://hg.python.org/cpython/rev/4190568ceda0/
[11] http://hg.python.org/cpython/rev/4b0364fc5711/
[12] http://bugs.python.org/issue16040
[13] http://hg.python.org/cpython/rev/36680a7c0e22/
[14] http://hg.python.org/cpython/rev/731abf7834c4/
[15] http://hg.python.org/cpython/rev/fc88bd80d925/
[16] http://bugs.python.org/issue16041
[17] http://hg.python.org/cpython/rev/7214e3324a45/
[18] http://hg.python.org/cpython/rev/68029048c9c6/
[19] http://bugs.python.org/issue16042
[20] http://hg.python.org/cpython/rev/8a6def3add5b/
Comment 1 Tomas Hoger 2014-10-30 16:35:01 EDT
* httplib

There are actually two separate issues for httplib under this CVE.  The first issue was originally reported in the following upstream bug:


This bug covers use of readline() without size limit, which can lead to excessive memory usage if a malicious or broken HTTP server sends excessively long lines without any line breaks.  Issue was addressed upstream in the following commit:


and backported to 2.7 and 3.1 branches:

2.7  https://hg.python.org/cpython/rev/965314f12f71
3.1  https://hg.python.org/cpython/rev/3c182f71d4c9

This fix was never backported to 2.6 branch upstream.

Mentioned backports to 2.7 and 3.1 missed one readline() call in _read_status().  This is one of the problems covered by the upstream bug:


The missed call was corrected in 2.7 branch in the following commit:

2.7  https://hg.python.org/cpython/rev/8a22a2804a66

The second issue in the upstream issue16037 is the lack of restriction on the number of HTTP headers server can send.  This issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3 branches:

2.6  https://hg.python.org/cpython/rev/582e5072ff89
2.7  https://hg.python.org/cpython/rev/5e310c6a8520
3.3  https://hg.python.org/cpython/rev/e445d02e5306

Patches limit the number of headers to 100.  Exception is raised if server sends more headers.
Comment 2 Tomas Hoger 2014-10-30 16:42:41 EDT
* ftplib

Upstream bug is:


This issue is similar to the unlimited readline() use in httplib, as described in comment 1.  Issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3.

2.6  https://hg.python.org/cpython/rev/8b19e7d0be45
2.7  https://hg.python.org/cpython/rev/44ac81e6d584
3.3  https://hg.python.org/cpython/rev/38db4d0726bd
Comment 3 Tomas Hoger 2014-10-30 16:48:37 EDT
* imaplib

Upstream bug is:


Another case of unlimited readline(), imaplib in this case.  Fixed upstream in 2.6, 2.7, 3.2 and 3.3:

2.6  https://hg.python.org/cpython/rev/4190568ceda0
2.7  https://hg.python.org/cpython/rev/dd906f4ab923
3.3  https://hg.python.org/cpython/rev/4b0364fc5711
Comment 4 Tomas Hoger 2014-10-30 17:58:28 EDT
* nntplib

Upstream bug is:


Another unlimited readline(), fixed upstream in 2.6, 2.7, 3.2 and 3.3:

2.6  https://hg.python.org/cpython/rev/731abf7834c4
2.7  https://hg.python.org/cpython/rev/36680a7c0e22
3.3  https://hg.python.org/cpython/rev/fc88bd80d925
Comment 5 Tomas Hoger 2014-10-30 18:01:46 EDT
* poplib

Upstream bug is:


Another unlimited readline().  Fixed upstream in 2.6, 3.2 and 3.3.  2.7 is still unfixed upstream.

2.6  https://hg.python.org/cpython/rev/7214e3324a45
3.3  https://hg.python.org/cpython/rev/68029048c9c6
Comment 6 Tomas Hoger 2014-10-30 18:06:05 EDT
* smtplib

Upstream bug is:


Similar to the poplib, this was fixed upstream in 2.6, 3.2 and 3.3, but remains unfixed in 2.7 to date.

2.6  https://hg.python.org/cpython/rev/8a6def3add5b
3.3  https://hg.python.org/cpython/rev/d62a67318023
Comment 7 Tomas Hoger 2014-10-30 18:22:59 EDT
All issues are listed as fixed in python 2.6.9.  However, as noted in comment 1, httplib unlimited readline() was never fixed in 2.6.


Status for the 2.7 upstream is:
- 2.7.4 - fixed httplib _read_status() readline
- 2.7.6 - ftplib and nntplib
- 2.7.7 - imaplib
- upcoming 2.7.9 - should add httplib header limit
- poplib and smtplib are unfixed in 2.7 branch in upstream mercurial

Status for 3.3 is:
- 3.3.3 - httplib header limit, ftplib, imaplib, nntplib, poplib
- 3.3.4 - smtplib

3.2 has all fixes applied in upstream version 3.2.6.
Comment 8 Tomas Hoger 2014-10-31 04:11:20 EDT
Fedora status:

- python - using 2.7.5, hence affected by most issues
- python/rawhide - using 2.7.8, missing httplib, poplib and smtplib
- python3 - using 3.3.2, hence affected by most issues
- python3/rawhide - using 3.4.1, all issues fixed
Comment 9 Tomas Hoger 2014-10-31 04:15:24 EDT
Affected modules are also part of Jython standard library.  Looking at the upstream repositories, only httplib readline issue is fixed in upcoming 2.7 version.  No issue is fixed in 2.2 or 2.5 branches.
Comment 10 Tomas Hoger 2014-10-31 04:27:56 EDT
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1159200]
Comment 11 Tomas Hoger 2014-10-31 04:28:02 EDT
Created jython tracking bugs for this issue:

Affects: fedora-all [bug 1159201]
Affects: epel-7 [bug 1159202]
Affects: epel-5 [bug 1159203]
Comment 13 Pavel Polischouk 2014-10-31 11:22:53 EDT

Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 14 Tomas Hoger 2014-11-26 08:14:16 EST
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1168230]
Comment 15 Tomas Hoger 2014-11-26 08:14:53 EST
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1168231]
Comment 19 Fedora Update System 2015-04-18 05:42:54 EDT
python-2.7.8-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-04-21 15:25:24 EDT
jnr-posix-3.0.9-3.fc22, jline-2.12.1-1.fc22, jython-2.7-0.7.rc2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2015-04-22 18:41:43 EDT
python-2.7.5-16.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2015-06-04 04:29:40 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 23 errata-xmlrpc 2015-07-22 02:39:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html
Comment 31 errata-xmlrpc 2015-11-19 07:42:01 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html