Bug 789790 (CVE-2012-0845)

Summary: CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
Product: [Other] Security Response Reporter: Dan Callaghan <dcallagh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amaris, dmalcolm, fche, jlieskov, jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20120212,reported=20120212,source=upstream,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-4/python=notaffected,rhel-5/python=notaffected,epel-5/python26=affected,rhel-6/python=affected,fedora-all/python=affected,fedora-all/python3=affected,fedora-all/pypy=affected
Fixed In Version: python 2.6.8, python 2.7.3, python 3.1.5, python 3.2.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 16:01:53 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 790027, 790358, 790360, 790366, 805382, 805383, 808303, 808304, 808306    
Bug Blocks: 790031    

Description Dan Callaghan 2012-02-12 20:21:44 EST
Description of problem:

When using SimpleXMLRPCServer from the standard library, if a client connection is closed before the complete request body has been received the server will enter an infinite loop consuming memory.


Version-Release number of selected component (if applicable):

python-2.6.6-29.el6.x86_64


How reproducible:

always


Steps to Reproduce:

1. Start the server:
>>> import SimpleXMLRPCServer, SocketServer
>>> class Server(SocketServer.ThreadingMixIn, SimpleXMLRPCServer.SimpleXMLRPCServer): pass
... 
>>> Server(('0.0.0.0', 12345)).serve_forever()

2. Simulate a malicious or flakey client:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
^C

  
Actual results:

Server goes nuts, with a thread stuck in an infinite loop eating memory.


Expected results:

Bad request is discarded.


Additional info:

The bug is in /usr/lib64/python2.6/SimpleXMLRPCServer.py at line 453:

    # Get arguments by reading body of request.
    # We read this in chunks to avoid straining
    # socket.read(); around the 10 or 15Mb mark, some platforms
    # begin to have problems (bug #792570).
    max_chunk_size = 10*1024*1024
    size_remaining = int(self.headers["content-length"])
    L = []
    while size_remaining:
        chunk_size = min(size_remaining, max_chunk_size)
        L.append(self.rfile.read(chunk_size))
        size_remaining -= len(L[-1])
    data = ''.join(L)

This code does not correctly handle EOF from self.rfile.read().
Comment 3 Jan Lieskovsky 2012-02-13 08:47:33 EST
Issue reported upstream as:
[1] http://bugs.python.org/issue14001
Comment 4 Jan Lieskovsky 2012-02-13 08:57:26 EST
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the python package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the version of the python26 package, as shipped with Fedora EPEL 5. Please schedule an update once final upstream patch is available.

--


This issue affects the versions of the python package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

-- 

This issue affects the version of the python3 package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

--

This issue affects the version of the pypy package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.
Comment 5 Jan Lieskovsky 2012-02-13 09:13:56 EST
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3
Comment 6 Jan Lieskovsky 2012-02-13 09:14:57 EST
Created python tracking bugs for this issue

Affects: fedora-all [bug 790027]
Comment 7 Kurt Seifried 2012-02-13 10:57:30 EST
Added CVE CVE-2012-0845 as per http://www.openwall.com/lists/oss-security/2012/02/13/3
Comment 10 Jan Lieskovsky 2012-02-14 05:35:41 EST
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 790358]
Comment 11 Jan Lieskovsky 2012-02-14 05:36:33 EST
Created python26 tracking bugs for this issue

Affects: epel-5 [bug 790360]
Comment 12 Jan Lieskovsky 2012-02-14 05:50:57 EST
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 790366]
Comment 15 Huzaifa S. Sidhpurwala 2012-02-19 21:45:28 EST
Patch for python 2.6:
http://hg.python.org/cpython/rev/24244a744d01
Comment 19 Huzaifa S. Sidhpurwala 2012-03-30 01:48:31 EDT
Created python tracking bugs for this issue

Affects: fedora-all [bug 808303]
Comment 20 Huzaifa S. Sidhpurwala 2012-03-30 01:48:35 EDT
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 808306]
Comment 21 Huzaifa S. Sidhpurwala 2012-03-30 01:48:41 EDT
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 808304]
Comment 22 Fedora Update System 2012-05-02 00:49:44 EDT
python-2.7.3-3.fc17, python-docs-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2012-05-03 03:28:23 EDT
python3-3.2.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2012-05-05 21:26:22 EDT
python-2.7.3-1.fc16, python-docs-2.7.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-05-07 00:16:44 EDT
python3-3.2.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2012-05-07 18:09:56 EDT
python26-2.6.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2012-06-18 08:32:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0744 https://rhn.redhat.com/errata/RHSA-2012-0744.html
Comment 28 Fedora Update System 2012-06-19 10:53:20 EDT
python3-3.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.