Bug 789790 - (CVE-2012-0845) CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120212,repor...
: Security
Depends On: 790027 790358 790360 790366 805382 805383 808303 808304 808306
Blocks: 790031
  Show dependency treegraph
 
Reported: 2012-02-12 20:21 EST by Dan Callaghan
Modified: 2016-11-08 10:58 EST (History)
5 users (show)

See Also:
Fixed In Version: python 2.6.8, python 2.7.3, python 3.1.5, python 3.2.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-11 16:01:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Callaghan 2012-02-12 20:21:44 EST
Description of problem:

When using SimpleXMLRPCServer from the standard library, if a client connection is closed before the complete request body has been received the server will enter an infinite loop consuming memory.


Version-Release number of selected component (if applicable):

python-2.6.6-29.el6.x86_64


How reproducible:

always


Steps to Reproduce:

1. Start the server:
>>> import SimpleXMLRPCServer, SocketServer
>>> class Server(SocketServer.ThreadingMixIn, SimpleXMLRPCServer.SimpleXMLRPCServer): pass
... 
>>> Server(('0.0.0.0', 12345)).serve_forever()

2. Simulate a malicious or flakey client:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
^C

  
Actual results:

Server goes nuts, with a thread stuck in an infinite loop eating memory.


Expected results:

Bad request is discarded.


Additional info:

The bug is in /usr/lib64/python2.6/SimpleXMLRPCServer.py at line 453:

    # Get arguments by reading body of request.
    # We read this in chunks to avoid straining
    # socket.read(); around the 10 or 15Mb mark, some platforms
    # begin to have problems (bug #792570).
    max_chunk_size = 10*1024*1024
    size_remaining = int(self.headers["content-length"])
    L = []
    while size_remaining:
        chunk_size = min(size_remaining, max_chunk_size)
        L.append(self.rfile.read(chunk_size))
        size_remaining -= len(L[-1])
    data = ''.join(L)

This code does not correctly handle EOF from self.rfile.read().
Comment 3 Jan Lieskovsky 2012-02-13 08:47:33 EST
Issue reported upstream as:
[1] http://bugs.python.org/issue14001
Comment 4 Jan Lieskovsky 2012-02-13 08:57:26 EST
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the python package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the version of the python26 package, as shipped with Fedora EPEL 5. Please schedule an update once final upstream patch is available.

--


This issue affects the versions of the python package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

-- 

This issue affects the version of the python3 package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.

--

This issue affects the version of the pypy package, as shipped with Fedora release of 15 and 16. Please schedule an update once final upstream patch is available.
Comment 5 Jan Lieskovsky 2012-02-13 09:13:56 EST
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3
Comment 6 Jan Lieskovsky 2012-02-13 09:14:57 EST
Created python tracking bugs for this issue

Affects: fedora-all [bug 790027]
Comment 7 Kurt Seifried 2012-02-13 10:57:30 EST
Added CVE CVE-2012-0845 as per http://www.openwall.com/lists/oss-security/2012/02/13/3
Comment 10 Jan Lieskovsky 2012-02-14 05:35:41 EST
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 790358]
Comment 11 Jan Lieskovsky 2012-02-14 05:36:33 EST
Created python26 tracking bugs for this issue

Affects: epel-5 [bug 790360]
Comment 12 Jan Lieskovsky 2012-02-14 05:50:57 EST
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 790366]
Comment 15 Huzaifa S. Sidhpurwala 2012-02-19 21:45:28 EST
Patch for python 2.6:
http://hg.python.org/cpython/rev/24244a744d01
Comment 19 Huzaifa S. Sidhpurwala 2012-03-30 01:48:31 EDT
Created python tracking bugs for this issue

Affects: fedora-all [bug 808303]
Comment 20 Huzaifa S. Sidhpurwala 2012-03-30 01:48:35 EDT
Created pypy tracking bugs for this issue

Affects: fedora-all [bug 808306]
Comment 21 Huzaifa S. Sidhpurwala 2012-03-30 01:48:41 EDT
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 808304]
Comment 22 Fedora Update System 2012-05-02 00:49:44 EDT
python-2.7.3-3.fc17, python-docs-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2012-05-03 03:28:23 EDT
python3-3.2.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2012-05-05 21:26:22 EDT
python-2.7.3-1.fc16, python-docs-2.7.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-05-07 00:16:44 EDT
python3-3.2.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2012-05-07 18:09:56 EDT
python26-2.6.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2012-06-18 08:32:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0744 https://rhn.redhat.com/errata/RHSA-2012-0744.html
Comment 28 Fedora Update System 2012-06-19 10:53:20 EDT
python3-3.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.