Bug 789790 (CVE-2012-0845)

Summary: CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
Product: [Other] Security Response Reporter: Dan Callaghan <dcallagh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmalcolm, fche, jlieskov, jrusnack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python 2.6.8, python 2.7.3, python 3.1.5, python 3.2.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 20:01:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 790027, 790358, 790360, 790366, 805382, 805383, 808303, 808304, 808306    
Bug Blocks: 790031    

Description Dan Callaghan 2012-02-13 01:21:44 UTC
Description of problem:

When using SimpleXMLRPCServer from the standard library, if a client connection is closed before the complete request body has been received the server will enter an infinite loop consuming memory.


Version-Release number of selected component (if applicable):

python-2.6.6-29.el6.x86_64


How reproducible:

always


Steps to Reproduce:

1. Start the server:
>>> import SimpleXMLRPCServer, SocketServer
>>> class Server(SocketServer.ThreadingMixIn, SimpleXMLRPCServer.SimpleXMLRPCServer): pass
... 
>>> Server(('0.0.0.0', 12345)).serve_forever()

2. Simulate a malicious or flakey client:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
^C

  
Actual results:

Server goes nuts, with a thread stuck in an infinite loop eating memory.


Expected results:

Bad request is discarded.


Additional info:

The bug is in /usr/lib64/python2.6/SimpleXMLRPCServer.py at line 453:

    # Get arguments by reading body of request.
    # We read this in chunks to avoid straining
    # socket.read(); around the 10 or 15Mb mark, some platforms
    # begin to have problems (bug #792570).
    max_chunk_size = 10*1024*1024
    size_remaining = int(self.headers["content-length"])
    L = []
    while size_remaining:
        chunk_size = min(size_remaining, max_chunk_size)
        L.append(self.rfile.read(chunk_size))
        size_remaining -= len(L[-1])
    data = ''.join(L)

This code does not correctly handle EOF from self.rfile.read().

Comment 3 Jan Lieskovsky 2012-02-13 13:47:33 UTC
Issue reported upstream as:
[1] http://bugs.python.org/issue14001

Comment 4 Jan Lieskovsky 2012-02-13 13:57:26 UTC
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the python package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the version of the python26 package, as shipped with Fedora EPEL 5. Please schedule an update once final upstream patch is available.

--


This issue affects the versions of the python package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

-- 

This issue affects the version of the python3 package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

--

This issue affects the version of the pypy package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

Comment 5 Jan Lieskovsky 2012-02-13 14:13:56 UTC
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3

Comment 6 Jan Lieskovsky 2012-02-13 14:14:57 UTC
Created python tracking bugs for this issue

Affects: fedora-all [bug 790027]

Comment 7 Kurt Seifried 2012-02-13 15:57:30 UTC
Added CVE CVE-2012-0845 as per http://www.openwall.com/lists/oss-security/2012/02/13/3

Comment 10 Jan Lieskovsky 2012-02-14 10:35:41 UTC
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 790358]

Comment 11 Jan Lieskovsky 2012-02-14 10:36:33 UTC
Created python26 tracking bugs for this issue

Affects: epel-5 [bug 790360]

Comment 12 Jan Lieskovsky 2012-02-14 10:50:57 UTC
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 790366]

Comment 15 Huzaifa S. Sidhpurwala 2012-02-20 02:45:28 UTC
Patch for python 2.6:
http://hg.python.org/cpython/rev/24244a744d01

Comment 19 Huzaifa S. Sidhpurwala 2012-03-30 05:48:31 UTC
Created python tracking bugs for this issue

Affects: fedora-all [bug 808303]

Comment 20 Huzaifa S. Sidhpurwala 2012-03-30 05:48:35 UTC
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 808306]

Comment 21 Huzaifa S. Sidhpurwala 2012-03-30 05:48:41 UTC
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 808304]

Comment 22 Fedora Update System 2012-05-02 04:49:44 UTC
python-2.7.3-3.fc17, python-docs-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-05-03 07:28:23 UTC
python3-3.2.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2012-05-06 01:26:22 UTC
python-2.7.3-1.fc16, python-docs-2.7.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2012-05-07 04:16:44 UTC
python3-3.2.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2012-05-07 22:09:56 UTC
python26-2.6.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 errata-xmlrpc 2012-06-18 12:32:48 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0744 https://rhn.redhat.com/errata/RHSA-2012-0744.html

Comment 28 Fedora Update System 2012-06-19 14:53:20 UTC
python3-3.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.