[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: I added imaplib.IMAP4_SSL.readline() to my python-security website: https://python-security.readthedocs.io/vuln/cve-2013-1752_cve-2013-1752_limit_imaplib.imap4_ssl.readline.html I'm now waiting for a Python 2.7.16 release. -- priority: release

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: New changeset 16d63202af35dadd652a5e3eae687ea709e95b11 by Victor Stinner in branch '2.7': bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120) https://github.com/python/cpython/commit/16d63202af35dadd652a5e3eae687ea709e95b11 --

[issue16039] imaplib: unlimited readline() from connection

Change by STINNER Victor : -- pull_requests: +10351 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue16039] imaplib: unlimited readline() from connection

Roundup Robot added the comment: New changeset 5d1c03316af7 by Georg Brandl in branch '3.2': Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit https://hg.python.org/cpython/rev/5d1c03316af7 -- ___ Python tracker

[issue16039] imaplib: unlimited readline() from connection

Changes by Georg Brandl ge...@python.org: -- versions: -Python 3.1, Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___ ___

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: New changeset 5d1c03316af7 by Georg Brandl in branch '3.2': Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit https://hg.python.org/cpython/rev/5d1c03316af7 I'm not sure that this change is correct, the test failed on Windows. Or

[issue16039] imaplib: unlimited readline() from connection

Georg Brandl added the comment: Let me check that. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___ ___ Python-bugs-list mailing list

[issue16039] imaplib: unlimited readline() from connection

Arfrever Frehtes Taifersar Arahesis added the comment: This error is rather related to issue #16042, not issue #16039. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Changes by Georg Brandl ge...@python.org: -- resolution: - fixed status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: Why is this issue still open? The issue was fixed in Python 2.6.9. Why is the issue a release blocker? The issue was also fixed in the future Python 3.4 (in default). -- nosy: +haypo ___ Python tracker

[issue16039] imaplib: unlimited readline() from connection

R. David Murray added the comment: Presumably because it has not been fixed in 2.7. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: Since the merge 2.6 - 2.7 did not apply cleanly, and had other problems. I null merged the 2.6 changes. I'll leave it to Benjamin to work out whatever patches 2.7 needs. So Benjamin, is there a reason to not fix this security vulnerability in Python 2.7?

[issue16039] imaplib: unlimited readline() from connection

Benjamin Peterson added the comment: There's no reason not to fix it assuming the patch is good... -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

R. David Murray added the comment: Applied to 2.7 in dd906f4ab923. -- resolution: - fixed stage: needs patch - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039

[issue16039] imaplib: unlimited readline() from connection

R. David Murray added the comment: And we're getting test failures in the SSL version of the test. No similar failure reports in the tracker, and the same test has been running on the Python3 branch for a while now. -- ___ Python tracker

[issue16039] imaplib: unlimited readline() from connection

Roundup Robot added the comment: New changeset d7ae948d9eee by R David Murray in branch '2.7': #16039/#20118: temporarily skip failing imaplib SSL test. http://hg.python.org/cpython/rev/d7ae948d9eee -- ___ Python tracker rep...@bugs.python.org

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: Reopen, a test is failing. -- resolution: fixed - status: closed - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

R. David Murray added the comment: I opened a new issue for the failing test: issue 20118, so I don't see a reason to keep this open. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039

[issue16039] imaplib: unlimited readline() from connection

STINNER Victor added the comment: I opened a new issue for the failing test: issue 20118, so I don't see a reason to keep this open. Ok, I wasn't aware of this issue. -- resolution: - fixed status: open - closed ___ Python tracker

[issue16039] imaplib: unlimited readline() from connection

Roundup Robot added the comment: New changeset 4b0364fc5711 by Georg Brandl in branch '3.3': Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit http://hg.python.org/cpython/rev/4b0364fc5711 -- ___ Python tracker

[issue16039] imaplib: unlimited readline() from connection

Georg Brandl added the comment: Also merged to default. -- versions: -Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Larry Hastings added the comment: Ping. Please fix before beta 1. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___ ___ Python-bugs-list

[issue16039] imaplib: unlimited readline() from connection

Barry A. Warsaw added the comment: Looks good for 2.6. The NEWS file hunk doesn't apply, but I'll fix that when I commit this to 2.6. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039

[issue16039] imaplib: unlimited readline() from connection

Roundup Robot added the comment: New changeset 4190568ceda0 by Barry Warsaw in branch '2.6': - Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to http://hg.python.org/cpython/rev/4190568ceda0 -- nosy: +python-dev ___ Python

[issue16039] imaplib: unlimited readline() from connection

Barry A. Warsaw added the comment: Since the merge 2.6 - 2.7 did not apply cleanly, and had other problems. I null merged the 2.6 changes. I'll leave it to Benjamin to work out whatever patches 2.7 needs. -- versions: -Python 2.6 ___ Python

[issue16039] imaplib: unlimited readline() from connection

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- versions: +Python 2.6, Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

A.M. Kuchling added the comment: Updated version of the patch against 2.6 that adds a test. Thanks for the fix, Emil! -- nosy: +akuchling Added file: http://bugs.python.org/file31778/imaplib.txt ___ Python tracker rep...@bugs.python.org

[issue16039] imaplib: unlimited readline() from connection

Barry A. Warsaw added the comment: blocker for 2.6.9 -- nosy: +barry priority: critical - release blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Benjamin Peterson added the comment: Not blocking 2.7.4 as discussed on mailing list. -- priority: release blocker - critical ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Emil Lind added the comment: I'm uploading my first patch. Heavily based on the related issues for ftplib and poplib. Need help with review and a few questions... Q1: Is the error Exception the right way to handle the breach (disconnects client?) or is there a better way? Like a 'BAD'

[issue16039] imaplib: unlimited readline() from connection

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Christian Heimes added the comment: RFC 3501 and 2060 (IMAP 4rev1) don't specify a line length RFC 2683 says: A client should limit the length of the command lines it generates to approximately 1000 octets. For its part, a server should allow for a command line of at least 8000

[issue16039] imaplib: unlimited readline() from connection

Christian Heimes added the comment: CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Changes by Christian Heimes li...@cheimes.de: -- nosy: +benjamin.peterson, georg.brandl, larry priority: critical - release blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___

[issue16039] imaplib: unlimited readline() from connection

Changes by Giampaolo Rodola' g.rod...@gmail.com: -- nosy: +giampaolo.rodola ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16039 ___ ___

[issue16039] imaplib: unlimited readline() from connection

Changes by Christian Heimes li...@cheimes.de: -- assignee: - christian.heimes priority: normal - critical stage: - needs patch versions: +Python 2.7, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org

[issue16039] imaplib: unlimited readline() from connection

New submission from Christian Heimes: This bug is similar to #16037 and a modified copy of #16038. The imaplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious IMAP server can trick the imaplib module to consume large amounts of memory.