Red Hat Bugzilla – Bug 1046170
CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
Last modified: 2016-11-03 17:01:22 EDT
It was reported [1] that the XMLRPC client library in Python is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and send with Accept-Encoding: x-gzip. If an XMLRPC program written in python were to contact a malicious server which responded with a specially-crafted HTTP response, it could possibly result in a denial of service of the client (memory exhaustion). A proposed patch [2] is available, but nothing has been committed or released as there seems to still be some discussion on other enhancements to the patch. [1] http://bugs.python.org/issue16043 [2] http://bugs.python.org/file28796/xmlrpc_gzip_27.patch
Introduced via http://hg.python.org/cpython/diff/ffd7cf5c7285/Lib/xmlrpclib.py in Python 2.7 and upstream never backported to this to 2.6.x. Interestingly, the proposed patch in comment comment #0 [2] does not seem to work for me. Given that this is probably not the final version yet, I did not investigate this any further.
Statement: This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as their XMLRPC library did not include support for gzip encoded content.
(In reply to Stefan Cornelius from comment #2) > Introduced via http://hg.python.org/cpython/diff/ffd7cf5c7285 in Python > 2.7 and upstream never backported to this to 2.6.x. This was introduced upstream in 2.7 and 3.2. It was not backported to 2.6 or 3.1. The issue remains unfixed upstream.
This issue is now fixed upstream, below links are commits for 2.7, 3.3 and 3.4: https://hg.python.org/cpython/rev/d50096708b2d https://hg.python.org/cpython/rev/4a9418c6f8ae https://hg.python.org/cpython/rev/6b83e21c8679 Since those commits were made, only Python 2.7 had a new upstream release that includes the fix - 2.7.9. Python 3.3 and 3.4 are likely to include this fix in the next releases - 3.3.7 and 3.4.3.
Created python tracking bugs for this issue: Affects: fedora-all [bug 1185074]
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1185077]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html