Bug 1046174 - (CVE-2013-1752) CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120925,repor...
: Security
Depends On: 1159202 1159200 1159201 1159203 1168230 1168231 1187779 1206572 1206574
Blocks: 1046175 1210268
  Show dependency treegraph
 
Reported: 2013-12-23 18:30 EST by Vincent Danen
Modified: 2016-11-03 17:04 EDT (History)
71 users (show)

See Also:
Fixed In Version: python 3.2.6, python 3.3.4, python 3.4.0
Doc Type: Bug Fix
Doc Text:
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-20 10:34:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-12-23 18:30:32 EST
Multiple denial of service flaws were reported against various parts of Python's stdlib:

* httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4])
* ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8])
* imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11])
* nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15])
* poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18])
* smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x)

Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions).  So this will likely require MITRE to detangle.


[1] http://bugs.python.org/issue16037
[2] http://hg.python.org/cpython/rev/8a22a2804a66/
[3] http://hg.python.org/cpython/rev/582e5072ff89
[4] http://hg.python.org/cpython/rev/e445d02e5306/
[5] http://bugs.python.org/issue16038
[6] http://hg.python.org/cpython/rev/44ac81e6d584/
[7] http://hg.python.org/cpython/rev/8b19e7d0be45/
[8] http://hg.python.org/cpython/rev/38db4d0726bd/
[9] http://bugs.python.org/issue16039
[10] http://hg.python.org/cpython/rev/4190568ceda0/
[11] http://hg.python.org/cpython/rev/4b0364fc5711/
[12] http://bugs.python.org/issue16040
[13] http://hg.python.org/cpython/rev/36680a7c0e22/
[14] http://hg.python.org/cpython/rev/731abf7834c4/
[15] http://hg.python.org/cpython/rev/fc88bd80d925/
[16] http://bugs.python.org/issue16041
[17] http://hg.python.org/cpython/rev/7214e3324a45/
[18] http://hg.python.org/cpython/rev/68029048c9c6/
[19] http://bugs.python.org/issue16042
[20] http://hg.python.org/cpython/rev/8a6def3add5b/
Comment 1 Tomas Hoger 2014-10-30 16:35:01 EDT
* httplib

There are actually two separate issues for httplib under this CVE.  The first issue was originally reported in the following upstream bug:

http://bugs.python.org/issue6791

This bug covers use of readline() without size limit, which can lead to excessive memory usage if a malicious or broken HTTP server sends excessively long lines without any line breaks.  Issue was addressed upstream in the following commit:

https://hg.python.org/cpython/rev/0b94635ed2f6

and backported to 2.7 and 3.1 branches:

2.7  https://hg.python.org/cpython/rev/965314f12f71
3.1  https://hg.python.org/cpython/rev/3c182f71d4c9

This fix was never backported to 2.6 branch upstream.

Mentioned backports to 2.7 and 3.1 missed one readline() call in _read_status().  This is one of the problems covered by the upstream bug:

http://bugs.python.org/issue16037

The missed call was corrected in 2.7 branch in the following commit:

2.7  https://hg.python.org/cpython/rev/8a22a2804a66

The second issue in the upstream issue16037 is the lack of restriction on the number of HTTP headers server can send.  This issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3 branches:

2.6  https://hg.python.org/cpython/rev/582e5072ff89
2.7  https://hg.python.org/cpython/rev/5e310c6a8520
3.3  https://hg.python.org/cpython/rev/e445d02e5306

Patches limit the number of headers to 100.  Exception is raised if server sends more headers.
Comment 2 Tomas Hoger 2014-10-30 16:42:41 EDT
* ftplib

Upstream bug is:

http://bugs.python.org/issue16038

This issue is similar to the unlimited readline() use in httplib, as described in comment 1.  Issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3.

2.6  https://hg.python.org/cpython/rev/8b19e7d0be45
2.7  https://hg.python.org/cpython/rev/44ac81e6d584
3.3  https://hg.python.org/cpython/rev/38db4d0726bd
Comment 3 Tomas Hoger 2014-10-30 16:48:37 EDT
* imaplib

Upstream bug is:

http://bugs.python.org/issue16039

Another case of unlimited readline(), imaplib in this case.  Fixed upstream in 2.6, 2.7, 3.2 and 3.3:

2.6  https://hg.python.org/cpython/rev/4190568ceda0
2.7  https://hg.python.org/cpython/rev/dd906f4ab923
3.3  https://hg.python.org/cpython/rev/4b0364fc5711
Comment 4 Tomas Hoger 2014-10-30 17:58:28 EDT
* nntplib

Upstream bug is:

http://bugs.python.org/issue16040

Another unlimited readline(), fixed upstream in 2.6, 2.7, 3.2 and 3.3:

2.6  https://hg.python.org/cpython/rev/731abf7834c4
2.7  https://hg.python.org/cpython/rev/36680a7c0e22
3.3  https://hg.python.org/cpython/rev/fc88bd80d925
Comment 5 Tomas Hoger 2014-10-30 18:01:46 EDT
* poplib

Upstream bug is:

http://bugs.python.org/issue16041

Another unlimited readline().  Fixed upstream in 2.6, 3.2 and 3.3.  2.7 is still unfixed upstream.

2.6  https://hg.python.org/cpython/rev/7214e3324a45
3.3  https://hg.python.org/cpython/rev/68029048c9c6
Comment 6 Tomas Hoger 2014-10-30 18:06:05 EDT
* smtplib

Upstream bug is:

http://bugs.python.org/issue16042

Similar to the poplib, this was fixed upstream in 2.6, 3.2 and 3.3, but remains unfixed in 2.7 to date.

2.6  https://hg.python.org/cpython/rev/8a6def3add5b
3.3  https://hg.python.org/cpython/rev/d62a67318023
Comment 7 Tomas Hoger 2014-10-30 18:22:59 EDT
All issues are listed as fixed in python 2.6.9.  However, as noted in comment 1, httplib unlimited readline() was never fixed in 2.6.

https://www.python.org/download/releases/2.6.9/


Status for the 2.7 upstream is:
- 2.7.4 - fixed httplib _read_status() readline
- 2.7.6 - ftplib and nntplib
- 2.7.7 - imaplib
- upcoming 2.7.9 - should add httplib header limit
- poplib and smtplib are unfixed in 2.7 branch in upstream mercurial


Status for 3.3 is:
- 3.3.3 - httplib header limit, ftplib, imaplib, nntplib, poplib
- 3.3.4 - smtplib


3.2 has all fixes applied in upstream version 3.2.6.
Comment 8 Tomas Hoger 2014-10-31 04:11:20 EDT
Fedora status:

- python - using 2.7.5, hence affected by most issues
- python/rawhide - using 2.7.8, missing httplib, poplib and smtplib
- python3 - using 3.3.2, hence affected by most issues
- python3/rawhide - using 3.4.1, all issues fixed
Comment 9 Tomas Hoger 2014-10-31 04:15:24 EDT
Affected modules are also part of Jython standard library.  Looking at the upstream repositories, only httplib readline issue is fixed in upcoming 2.7 version.  No issue is fixed in 2.2 or 2.5 branches.
Comment 10 Tomas Hoger 2014-10-31 04:27:56 EDT
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1159200]
Comment 11 Tomas Hoger 2014-10-31 04:28:02 EDT
Created jython tracking bugs for this issue:

Affects: fedora-all [bug 1159201]
Affects: epel-7 [bug 1159202]
Affects: epel-5 [bug 1159203]
Comment 13 Pavel Polischouk 2014-10-31 11:22:53 EDT
Statement:

Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 14 Tomas Hoger 2014-11-26 08:14:16 EST
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1168230]
Comment 15 Tomas Hoger 2014-11-26 08:14:53 EST
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1168231]
Comment 19 Fedora Update System 2015-04-18 05:42:54 EDT
python-2.7.8-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-04-21 15:25:24 EDT
jnr-posix-3.0.9-3.fc22, jline-2.12.1-1.fc22, jython-2.7-0.7.rc2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2015-04-22 18:41:43 EDT
python-2.7.5-16.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2015-06-04 04:29:40 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 23 errata-xmlrpc 2015-07-22 02:39:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html
Comment 31 errata-xmlrpc 2015-11-19 07:42:01 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html

Note You need to log in before you can comment on or make changes to this bug.