Bug 789790 (CVE-2012-0845) - CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
Summary: CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC ...
Status: CLOSED ERRATA
Alias: CVE-2012-0845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20120212,repor...
Keywords: Security
Depends On: 790027 790358 790360 790366 805382 805383 808303 808304 808306
Blocks: 790031
TreeView+ depends on / blocked
 
Reported: 2012-02-13 01:21 UTC by Dan Callaghan
Modified: 2016-11-08 15:58 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-04-11 20:01:53 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0744 normal SHIPPED_LIVE Moderate: python security update 2012-06-18 16:31:56 UTC

Description Dan Callaghan 2012-02-13 01:21:44 UTC
Description of problem:

When using SimpleXMLRPCServer from the standard library, if a client connection is closed before the complete request body has been received the server will enter an infinite loop consuming memory.


Version-Release number of selected component (if applicable):

python-2.6.6-29.el6.x86_64


How reproducible:

always


Steps to Reproduce:

1. Start the server:
>>> import SimpleXMLRPCServer, SocketServer
>>> class Server(SocketServer.ThreadingMixIn, SimpleXMLRPCServer.SimpleXMLRPCServer): pass
... 
>>> Server(('0.0.0.0', 12345)).serve_forever()

2. Simulate a malicious or flakey client:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
^C

  
Actual results:

Server goes nuts, with a thread stuck in an infinite loop eating memory.


Expected results:

Bad request is discarded.


Additional info:

The bug is in /usr/lib64/python2.6/SimpleXMLRPCServer.py at line 453:

    # Get arguments by reading body of request.
    # We read this in chunks to avoid straining
    # socket.read(); around the 10 or 15Mb mark, some platforms
    # begin to have problems (bug #792570).
    max_chunk_size = 10*1024*1024
    size_remaining = int(self.headers["content-length"])
    L = []
    while size_remaining:
        chunk_size = min(size_remaining, max_chunk_size)
        L.append(self.rfile.read(chunk_size))
        size_remaining -= len(L[-1])
    data = ''.join(L)

This code does not correctly handle EOF from self.rfile.read().

Comment 3 Jan Lieskovsky 2012-02-13 13:47:33 UTC
Issue reported upstream as:
[1] http://bugs.python.org/issue14001

Comment 4 Jan Lieskovsky 2012-02-13 13:57:26 UTC
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the python package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the version of the python26 package, as shipped with Fedora EPEL 5. Please schedule an update once final upstream patch is available.

--


This issue affects the versions of the python package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

-- 

This issue affects the version of the python3 package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

--

This issue affects the version of the pypy package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

Comment 5 Jan Lieskovsky 2012-02-13 14:13:56 UTC
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3

Comment 6 Jan Lieskovsky 2012-02-13 14:14:57 UTC
Created python tracking bugs for this issue

Affects: fedora-all [bug 790027]

Comment 7 Kurt Seifried 2012-02-13 15:57:30 UTC
Added CVE CVE-2012-0845 as per http://www.openwall.com/lists/oss-security/2012/02/13/3

Comment 10 Jan Lieskovsky 2012-02-14 10:35:41 UTC
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 790358]

Comment 11 Jan Lieskovsky 2012-02-14 10:36:33 UTC
Created python26 tracking bugs for this issue

Affects: epel-5 [bug 790360]

Comment 12 Jan Lieskovsky 2012-02-14 10:50:57 UTC
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 790366]

Comment 15 Huzaifa S. Sidhpurwala 2012-02-20 02:45:28 UTC
Patch for python 2.6:
http://hg.python.org/cpython/rev/24244a744d01

Comment 19 Huzaifa S. Sidhpurwala 2012-03-30 05:48:31 UTC
Created python tracking bugs for this issue

Affects: fedora-all [bug 808303]

Comment 20 Huzaifa S. Sidhpurwala 2012-03-30 05:48:35 UTC
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 808306]

Comment 21 Huzaifa S. Sidhpurwala 2012-03-30 05:48:41 UTC
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 808304]

Comment 22 Fedora Update System 2012-05-02 04:49:44 UTC
python-2.7.3-3.fc17, python-docs-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-05-03 07:28:23 UTC
python3-3.2.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2012-05-06 01:26:22 UTC
python-2.7.3-1.fc16, python-docs-2.7.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2012-05-07 04:16:44 UTC
python3-3.2.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2012-05-07 22:09:56 UTC
python26-2.6.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 errata-xmlrpc 2012-06-18 12:32:48 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0744 https://rhn.redhat.com/errata/RHSA-2012-0744.html

Comment 28 Fedora Update System 2012-06-19 14:53:20 UTC
python3-3.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.