[issue16041] poplib: unlimited readline() from connection

2015-08-12 Thread R. David Murray
R. David Murray added the comment: It has been, see the referenced issue. Now we just need someone to write a patch. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041

[issue16041] poplib: unlimited readline() from connection

2015-08-11 Thread Stephen Coulson
Stephen Coulson added the comment: Broke for me today. Hacked the _MAXLINE to get around it. I don't see any size limit on multi-line in rfc. Only requirement is dot-stuffing. I think this fix might need a rethink. -- nosy: +scoulson ___ Python

[issue16041] poplib: unlimited readline() from connection

2015-07-14 Thread Chris Smowton
Chris Smowton added the comment: +1 to the above; suggest this should be rolled back and replaced with a total message size limit. -- nosy: +Chris Smowton ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041

[issue16041] poplib: unlimited readline() from connection

2015-06-28 Thread Ingo Ruhnke
Ingo Ruhnke added the comment: This fix has broken mail retrieval from both gmx.de, gmail.com and plenty of other provider. It manifests in getmail as: Retrieval error: server for BrokenUIDLPOP3SSLRetriever:1860...@pop.gmx.net:995 is broken; offered message 239 but failed to provide it.

[issue16041] poplib: unlimited readline() from connection

2014-12-05 Thread Roundup Robot
Roundup Robot added the comment: New changeset 339f877cca11 by Benjamin Peterson in branch '2.7': in poplib, limit maximum line length that we read from the network (closes #16041) https://hg.python.org/cpython/rev/339f877cca11 -- resolution: - fixed stage: patch review - resolved

[issue16041] poplib: unlimited readline() from connection

2014-12-02 Thread Matthias Klose
Matthias Klose added the comment: this looks ok to me, can we apply this for 2.7.9? -- nosy: +doko ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2014-10-19 Thread Berker Peksag
Berker Peksag added the comment: Here is a patch for 2.7. -- nosy: +berker.peksag stage: needs patch - patch review Added file: http://bugs.python.org/file36970/issue16041_27.diff ___ Python tracker rep...@bugs.python.org

[issue16041] poplib: unlimited readline() from connection

2014-10-19 Thread Berker Peksag
Changes by Berker Peksag berker.pek...@gmail.com: Added file: http://bugs.python.org/file36971/issue16041_27.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2014-10-19 Thread Berker Peksag
Changes by Berker Peksag berker.pek...@gmail.com: Removed file: http://bugs.python.org/file36970/issue16041_27.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2014-09-30 Thread Georg Brandl
Changes by Georg Brandl ge...@python.org: -- versions: -Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___ ___ Python-bugs-list

[issue16041] poplib: unlimited readline() from connection

2014-09-30 Thread Roundup Robot
Roundup Robot added the comment: New changeset 76be07730f8d by Georg Brandl in branch '3.2': Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to https://hg.python.org/cpython/rev/76be07730f8d -- ___ Python tracker

[issue16041] poplib: unlimited readline() from connection

2014-09-30 Thread Georg Brandl
Changes by Georg Brandl ge...@python.org: -- versions: -Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___ ___ Python-bugs-list

[issue16041] poplib: unlimited readline() from connection

2013-10-27 Thread Roundup Robot
Roundup Robot added the comment: New changeset 68029048c9c6 by Georg Brandl in branch '3.3': Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/68029048c9c6 -- ___ Python tracker

[issue16041] poplib: unlimited readline() from connection

2013-10-27 Thread Georg Brandl
Georg Brandl added the comment: Also merged to default. -- versions: -Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2013-10-24 Thread Jyrki Pulliainen
Jyrki Pulliainen added the comment: Here's a max line lenght fix for 3.2 (applies on 3.4 too). I wonder if _getlongresp should have some max length detection too for max length of a multiline response -- Added file: http://bugs.python.org/file32335/issue16041_py32.patch

[issue16041] poplib: unlimited readline() from connection

2013-10-18 Thread Larry Hastings
Larry Hastings added the comment: Ping. Please fix before beta 1. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___ ___ Python-bugs-list

[issue16041] poplib: unlimited readline() from connection

2013-09-30 Thread Jyrki Pulliainen
Jyrki Pulliainen added the comment: Added a test for SSL, if SSL is available -- Added file: http://bugs.python.org/file31923/issue16041_py26_with_ssl.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041

[issue16041] poplib: unlimited readline() from connection

2013-09-30 Thread Roundup Robot
Roundup Robot added the comment: New changeset 7214e3324a45 by Barry Warsaw in branch '2.6': - Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/7214e3324a45 -- nosy: +python-dev ___ Python

[issue16041] poplib: unlimited readline() from connection

2013-09-30 Thread Barry A. Warsaw
Changes by Barry A. Warsaw ba...@python.org: -- versions: -Python 2.6 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___ ___

[issue16041] poplib: unlimited readline() from connection

2013-09-30 Thread Barry A. Warsaw
Barry A. Warsaw added the comment: On Sep 30, 2013, at 08:41 PM, Arfrever Frehtes Taifersar Arahesis wrote: Arfrever Frehtes Taifersar Arahesis added the comment: New changeset 7214e3324a45 by Barry Warsaw in branch '2.6': - Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to

[issue16041] poplib: unlimited readline() from connection

2013-09-30 Thread Arfrever Frehtes Taifersar Arahesis
Arfrever Frehtes Taifersar Arahesis added the comment: New changeset 7214e3324a45 by Barry Warsaw in branch '2.6': - Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/7214e3324a45 ... --- a/Misc/NEWS +++ b/Misc/NEWS ... +- Issue

[issue16041] poplib: unlimited readline() from connection

2013-09-29 Thread Jyrki Pulliainen
Jyrki Pulliainen added the comment: Attached a patch for 2.6. Due to how tests are in 2.6, this adds one more test case with evil server, which basically just returns too long lines. -- Added file: http://bugs.python.org/file31913/issue16041_py26.patch

[issue16041] poplib: unlimited readline() from connection

2013-09-29 Thread Barry A. Warsaw
Barry A. Warsaw added the comment: Looks good, although only the POP3 exception is actually tested. The POP3_SSL exception isn't tested. Any chance you could add a test for that (obviously, only if `import ssl` succeeds)? -- ___ Python tracker

[issue16041] poplib: unlimited readline() from connection

2013-09-15 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +barry priority: critical - release blocker versions: +Python 2.6, Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041

[issue16041] poplib: unlimited readline() from connection

2013-03-23 Thread Benjamin Peterson
Benjamin Peterson added the comment: Not blocking 2.7.4 as discussed on mailing list. -- priority: release blocker - critical ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2013-02-23 Thread Jyrki Pulliainen
Jyrki Pulliainen added the comment: Added a functionality that raises error_proto('line too long') if we read over _MAXLINE characters. Defaults _MAXLINE to 2048. The patch is written on top of 2.7 -- keywords: +patch nosy: +nailor Added file:

[issue16041] poplib: unlimited readline() from connection

2013-02-22 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2013-02-15 Thread Christian Heimes
Christian Heimes added the comment: RFC 1939 says: Responses in the POP3 consist of a status indicator and a keyword possibly followed by additional information. All responses are terminated by a CRLF pair. Responses may be up to 512 characters long, including the terminating

[issue16041] poplib: unlimited readline() from connection

2013-02-15 Thread Christian Heimes
Christian Heimes added the comment: CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2013-02-04 Thread Christian Heimes
Changes by Christian Heimes li...@cheimes.de: -- nosy: +benjamin.peterson, georg.brandl, larry priority: critical - release blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___

[issue16041] poplib: unlimited readline() from connection

2013-01-21 Thread Giampaolo Rodola'
Changes by Giampaolo Rodola' g.rod...@gmail.com: -- nosy: +giampaolo.rodola ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041 ___ ___

[issue16041] poplib: unlimited readline() from connection

2013-01-20 Thread Christian Heimes
Changes by Christian Heimes li...@cheimes.de: -- assignee: - christian.heimes priority: normal - critical stage: - needs patch versions: +Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16041

[issue16041] poplib: unlimited readline() from connection

2012-09-25 Thread Christian Heimes
New submission from Christian Heimes: This bug is similar to #16037 and a modified copy of #16038. The poplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious POP3 server can trick the poplib module to consume large amounts of memory.