rkuska pushed to python (f20). "CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 10 08:01:52 UTC 2015
>From d1cbd06fb0e97e2f40b886c6d7587c72c5bfa901 Mon Sep 17 00:00:00 2001
From: Robert Kuska <rkuska at redhat.com>
Date: Fri, 10 Apr 2015 09:15:38 +0200
Subject: CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib
Resolves: rhbz#1159200
diff --git a/00199-fix-CVE-2013-1752.patch b/00199-fix-CVE-2013-1752.patch
new file mode 100644
index 0000000..c7a93ae
--- /dev/null
+++ b/00199-fix-CVE-2013-1752.patch
@@ -0,0 +1,476 @@
+
+# HG changeset patch
+# User Serhiy Storchaka <storchaka at gmail.com>
+# Date 1382277427 -10800
+# Node ID 44ac81e6d584758ee56a865a7c18d82505be0643
+# Parent 625ece68d79a27d376889579c414ed4b2d8a2649
+Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
+limiting the call to readline(). Original patch by Michał
+Jastrzębski and Giampaolo Rodola.
+
+diff --git a/Lib/ftplib.py b/Lib/ftplib.py
+--- a/Lib/ftplib.py
++++ b/Lib/ftplib.py
+@@ -55,6 +55,8 @@ MSG_OOB = 0x1
+
+ # The standard FTP server control port
+ FTP_PORT = 21
++# The sizehint parameter passed to readline() calls
++MAXLINE = 8192
+
+
+ # Exception raised when an error or invalid response is received
+@@ -101,6 +103,7 @@ class FTP:
+ debugging = 0
+ host = ''
+ port = FTP_PORT
++ maxline = MAXLINE
+ sock = None
+ file = None
+ welcome = None
+@@ -180,7 +183,9 @@ class FTP:
+ # Internal: return one line from the server, stripping CRLF.
+ # Raise EOFError if the connection is closed
+ def getline(self):
+- line = self.file.readline()
++ line = self.file.readline(self.maxline + 1)
++ if len(line) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if self.debugging > 1:
+ print '*get*', self.sanitize(line)
+ if not line: raise EOFError
+@@ -432,7 +437,9 @@ class FTP:
+ conn = self.transfercmd(cmd)
+ fp = conn.makefile('rb')
+ while 1:
+- line = fp.readline()
++ line = fp.readline(self.maxline + 1)
++ if len(line) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if self.debugging > 2: print '*retr*', repr(line)
+ if not line:
+ break
+@@ -485,7 +492,9 @@ class FTP:
+ self.voidcmd('TYPE A')
+ conn = self.transfercmd(cmd)
+ while 1:
+- buf = fp.readline()
++ buf = fp.readline(self.maxline + 1)
++ if len(buf) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if not buf: break
+ if buf[-2:] != CRLF:
+ if buf[-1] in CRLF: buf = buf[:-1]
+@@ -710,7 +719,9 @@ else:
+ fp = conn.makefile('rb')
+ try:
+ while 1:
+- line = fp.readline()
++ line = fp.readline(self.maxline + 1)
++ if len(line) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if self.debugging > 2: print '*retr*', repr(line)
+ if not line:
+ break
+@@ -748,7 +759,9 @@ else:
+ conn = self.transfercmd(cmd)
+ try:
+ while 1:
+- buf = fp.readline()
++ buf = fp.readline(self.maxline + 1)
++ if len(buf) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if not buf: break
+ if buf[-2:] != CRLF:
+ if buf[-1] in CRLF: buf = buf[:-1]
+@@ -905,7 +918,9 @@ class Netrc:
+ fp = open(filename, "r")
+ in_macro = 0
+ while 1:
+- line = fp.readline()
++ line = fp.readline(self.maxline + 1)
++ if len(line) > self.maxline:
++ raise Error("got more than %d bytes" % self.maxline)
+ if not line: break
+ if in_macro and line.strip():
+ macro_lines.append(line)
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+--- a/Lib/test/test_ftplib.py
++++ b/Lib/test/test_ftplib.py
+@@ -65,6 +65,7 @@ class DummyFTPHandler(asynchat.async_cha
+ self.last_received_data = ''
+ self.next_response = ''
+ self.rest = None
++ self.next_retr_data = RETR_DATA
+ self.push('220 welcome')
+
+ def collect_incoming_data(self, data):
+@@ -189,7 +190,7 @@ class DummyFTPHandler(asynchat.async_cha
+ offset = int(self.rest)
+ else:
+ offset = 0
+- self.dtp.push(RETR_DATA[offset:])
++ self.dtp.push(self.next_retr_data[offset:])
+ self.dtp.close_when_done()
+ self.rest = None
+
+@@ -203,6 +204,11 @@ class DummyFTPHandler(asynchat.async_cha
+ self.dtp.push(NLST_DATA)
+ self.dtp.close_when_done()
+
++ def cmd_setlongretr(self, arg):
++ # For testing. Next RETR will return long line.
++ self.next_retr_data = 'x' * int(arg)
++ self.push('125 setlongretr ok')
++
+
+ class DummyFTPServer(asyncore.dispatcher, threading.Thread):
+
+@@ -558,6 +564,20 @@ class TestFTPClass(TestCase):
+ # IPv4 is in use, just make sure send_epsv has not been used
+ self.assertEqual(self.server.handler.last_received_cmd, 'pasv')
+
++ def test_line_too_long(self):
++ self.assertRaises(ftplib.Error, self.client.sendcmd,
++ 'x' * self.client.maxline * 2)
++
++ def test_retrlines_too_long(self):
++ self.client.sendcmd('SETLONGRETR %d' % (self.client.maxline * 2))
++ received = []
++ self.assertRaises(ftplib.Error,
++ self.client.retrlines, 'retr', received.append)
++
++ def test_storlines_too_long(self):
++ f = StringIO.StringIO('x' * self.client.maxline * 2)
++ self.assertRaises(ftplib.Error, self.client.storlines, 'stor', f)
++
+
+ class TestIPv6Environment(TestCase):
+
+
+# HG changeset patch
+# User R David Murray <rdmurray at bitdance.com>
+# Date 1388775562 18000
+# Node ID dd906f4ab9237020a7a275c2d361fa288e553481
+# Parent 69b5f692455306c98aa27ecea17e6290787ebd3f
+closes 16039: CVE-2013-1752: limit line length in imaplib readline calls.
+
+diff --git a/Lib/imaplib.py b/Lib/imaplib.py
+--- a/Lib/imaplib.py
++++ b/Lib/imaplib.py
+@@ -35,6 +35,15 @@ IMAP4_PORT = 143
+ IMAP4_SSL_PORT = 993
+ AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first
+
++# Maximal line length when calling readline(). This is to prevent
++# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
++# don't specify a line length. RFC 2683 however suggests limiting client
++# command lines to 1000 octets and server command lines to 8000 octets.
++# We have selected 10000 for some extra margin and since that is supposedly
++# also what UW and Panda IMAP does.
++_MAXLINE = 10000
++
++
+ # Commands
+
+ Commands = {
+@@ -237,7 +246,10 @@ class IMAP4:
+
+ def readline(self):
+ """Read line from remote."""
+- return self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
++ if len(line) > _MAXLINE:
++ raise self.error("got more than %d bytes" % _MAXLINE)
++ return line
+
+
+ def send(self, data):
+diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
+--- a/Lib/test/test_imaplib.py
++++ b/Lib/test/test_imaplib.py
+@@ -165,6 +165,16 @@ class BaseThreadedNetworkedTests(unittes
+ self.imap_class, *server.server_address)
+
+
++ def test_linetoolong(self):
++ class TooLongHandler(SimpleIMAPHandler):
++ def handle(self):
++ # Send a very long response line
++ self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
++
++ with self.reaped_server(TooLongHandler) as server:
++ self.assertRaises(imaplib.IMAP4.error,
++ self.imap_class, *server.server_address)
++
+ class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
+
+ server_class = SocketServer.TCPServer
+
+# HG changeset patch
+# User Barry Warsaw <barry at python.org>
+# Date 1380582569 14400
+# Node ID 36680a7c0e22686df9c338a9ca3cdb2c60e05b27
+# Parent 0f5611bca5a284c0b5f978e83a05818f0907bda8# Parent 731abf7834c43efb321231e65e7dd76ad9e8e661
+- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
+ prevent readline() calls from consuming too much memory. Patch by Jyrki
+ Pulliainen.
+
+diff --git a/Lib/nntplib.py b/Lib/nntplib.py
+--- a/Lib/nntplib.py
++++ b/Lib/nntplib.py
+@@ -37,6 +37,13 @@ import socket
+ "error_reply","error_temp","error_perm","error_proto",
+ "error_data",]
+
++# maximal line length when calling readline(). This is to prevent
++# reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
++# 512 characters, including CRLF. We have selected 2048 just to be on
++# the safe side.
++_MAXLINE = 2048
++
++
+ # Exceptions raised when an error or invalid response is received
+ class NNTPError(Exception):
+ """Base class for all nntplib exceptions"""
+@@ -200,7 +207,9 @@ class NNTP:
+ def getline(self):
+ """Internal: return one line from the server, stripping CRLF.
+ Raise EOFError if the connection is closed."""
+- line = self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
++ if len(line) > _MAXLINE:
++ raise NNTPDataError('line too long')
+ if self.debugging > 1:
+ print '*get*', repr(line)
+ if not line: raise EOFError
+diff --git a/Lib/test/test_nntplib.py b/Lib/test/test_nntplib.py
+new file mode 100644
+--- /dev/null
++++ b/Lib/test/test_nntplib.py
+@@ -0,0 +1,65 @@
++import socket
++import threading
++import nntplib
++import time
++
++from unittest import TestCase
++from test import test_support
++
++HOST = test_support.HOST
++
++
++def server(evt, serv, evil=False):
++ serv.listen(5)
++ try:
++ conn, addr = serv.accept()
++ except socket.timeout:
++ pass
++ else:
++ if evil:
++ conn.send("1 I'm too long response" * 3000 + "\n")
++ else:
++ conn.send("1 I'm OK response\n")
++ conn.close()
++ finally:
++ serv.close()
++ evt.set()
++
++
++class BaseServerTest(TestCase):
++ def setUp(self):
++ self.evt = threading.Event()
++ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++ self.sock.settimeout(3)
++ self.port = test_support.bind_port(self.sock)
++ threading.Thread(
++ target=server,
++ args=(self.evt, self.sock, self.evil)).start()
++ time.sleep(.1)
++
++ def tearDown(self):
++ self.evt.wait()
++
++
++class ServerTests(BaseServerTest):
++ evil = False
++
++ def test_basic_connect(self):
++ nntp = nntplib.NNTP('localhost', self.port)
++ nntp.sock.close()
++
++
++class EvilServerTests(BaseServerTest):
++ evil = True
++
++ def test_too_long_line(self):
++ self.assertRaises(nntplib.NNTPDataError,
++ nntplib.NNTP, 'localhost', self.port)
++
++
++def test_main(verbose=None):
++ test_support.run_unittest(EvilServerTests)
++ test_support.run_unittest(ServerTests)
++
++if __name__ == '__main__':
++ test_main()
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1417827758 18000
+# Node ID 339f877cca115c1901f5dd93d7bc066031d2a669
+# Parent 54af094087953f4997a4ead63e949d845c4b4412
+in poplib, limit maximum line length that we read from the network (closes #16041)
+
+Patch from Berker Peksag.
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -32,6 +32,12 @@ CR = '\r'
+ LF = '\n'
+ CRLF = CR+LF
+
++# maximal line length when calling readline(). This is to prevent
++# reading arbitrary length lines. RFC 1939 limits POP3 line length to
++# 512 characters, including CRLF. We have selected 2048 just to be on
++# the safe side.
++_MAXLINE = 2048
++
+
+ class POP3:
+
+@@ -103,7 +109,9 @@ class POP3:
+ # Raise error_proto('-ERR EOF') if the connection is closed.
+
+ def _getline(self):
+- line = self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
++ if len(line) > _MAXLINE:
++ raise error_proto('line too long')
+ if self._debugging > 1: print '*get*', repr(line)
+ if not line: raise error_proto('-ERR EOF')
+ octets = len(line)
+@@ -365,6 +373,8 @@ else:
+ match = renewline.match(self.buffer)
+ while not match:
+ self._fillBuffer()
++ if len(self.buffer) > _MAXLINE:
++ raise error_proto('line too long')
+ match = renewline.match(self.buffer)
+ line = match.group(0)
+ self.buffer = renewline.sub('' ,self.buffer, 1)
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+--- a/Lib/test/test_poplib.py
++++ b/Lib/test/test_poplib.py
+@@ -198,6 +198,10 @@ class TestPOP3Class(TestCase):
+ 113)
+ self.assertEqual(self.client.retr('foo'), expected)
+
++ def test_too_long_lines(self):
++ self.assertRaises(poplib.error_proto, self.client._shortcmd,
++ 'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
++
+ def test_dele(self):
+ self.assertOK(self.client.dele('foo'))
+
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1417827918 18000
+# Node ID 923aac88a3cc76a95d5a04d9d3ece245147a8064
+# Parent 339f877cca115c1901f5dd93d7bc066031d2a669
+smtplib: limit amount read from the network (closes #16042)
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+--- a/Lib/smtplib.py
++++ b/Lib/smtplib.py
+@@ -57,6 +57,7 @@ from sys import stderr
+ SMTP_PORT = 25
+ SMTP_SSL_PORT = 465
+ CRLF = "\r\n"
++_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
+
+ OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
+
+@@ -179,10 +180,14 @@ else:
+ def __init__(self, sslobj):
+ self.sslobj = sslobj
+
+- def readline(self):
++ def readline(self, size=-1):
++ if size < 0:
++ size = None
+ str = ""
+ chr = None
+ while chr != "\n":
++ if size is not None and len(str) >= size:
++ break
+ chr = self.sslobj.read(1)
+ if not chr:
+ break
+@@ -353,7 +358,7 @@ class SMTP:
+ self.file = self.sock.makefile('rb')
+ while 1:
+ try:
+- line = self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
+ except socket.error as e:
+ self.close()
+ raise SMTPServerDisconnected("Connection unexpectedly closed: "
+@@ -363,6 +368,8 @@ class SMTP:
+ raise SMTPServerDisconnected("Connection unexpectedly closed")
+ if self.debuglevel > 0:
+ print>>stderr, 'reply:', repr(line)
++ if len(line) > _MAXLINE:
++ raise SMTPResponseException(500, "Line too long.")
+ resp.append(line[4:].strip())
+ code = line[:3]
+ # Check that the error code is syntactically correct.
+diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
+--- a/Lib/test/test_smtplib.py
++++ b/Lib/test/test_smtplib.py
+@@ -292,6 +292,33 @@ class BadHELOServerTests(unittest.TestCa
+ HOST, self.port, 'localhost', 3)
+
+
++ at unittest.skipUnless(threading, 'Threading required for this test.')
++class TooLongLineTests(unittest.TestCase):
++ respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
++
++ def setUp(self):
++ self.old_stdout = sys.stdout
++ self.output = StringIO.StringIO()
++ sys.stdout = self.output
++
++ self.evt = threading.Event()
++ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++ self.sock.settimeout(15)
++ self.port = test_support.bind_port(self.sock)
++ servargs = (self.evt, self.respdata, self.sock)
++ threading.Thread(target=server, args=servargs).start()
++ self.evt.wait()
++ self.evt.clear()
++
++ def tearDown(self):
++ self.evt.wait()
++ sys.stdout = self.old_stdout
++
++ def testLineTooLong(self):
++ self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
++ HOST, self.port, 'localhost', 3)
++
++
+ sim_users = {'Mr.A at somewhere.com':'John A',
+ 'Ms.B at somewhere.com':'Sally B',
+ 'Mrs.C at somewhereesle.com':'Ruth C',
+@@ -526,7 +553,8 @@ class SMTPSimTests(unittest.TestCase):
+ def test_main(verbose=None):
+ test_support.run_unittest(GeneralTests, DebuggingServerTests,
+ NonConnectingTests,
+- BadHELOServerTests, SMTPSimTests)
++ BadHELOServerTests, SMTPSimTests,
++ TooLongLineTests)
+
+ if __name__ == '__main__':
+ test_main()
diff --git a/python.spec b/python.spec
index c55f23d..2dda1c6 100644
--- a/python.spec
+++ b/python.spec
@@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
Name: %{python}
# Remember to also rebase python-docs when changing this:
Version: 2.7.5
-Release: 15%{?dist}
+Release: 16%{?dist}
License: Python
Group: Development/Languages
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -906,6 +906,19 @@ Patch197: 00197-potential-buffer-overflow.patch
# document root.
Patch198: 00198-fix-CVE-2014-4650.patch
+# 00199 #
+#
+# multiple unbound readline() DoS flaws in python stdlib
+# CVE-2013-1752
+# following fixes (which all relates to this CVE) are in this patch:
+# * ftplib: Limit amount of data read by limiting the call to readline(). #16038
+# * imaplib: limit line length in imaplib readline calls. #16039
+# * nntplib: Limit maximum line lengths to 2048 to prevent readline() calls
+# from consuming too much memory. #16040
+# * poplib: limit maximum line length that we read from the network #16041
+# * smtplib: limit amount read from the network #16042
+Patch199: 00199-fix-CVE-2013-1752.patch
+
# (New patches go here ^^^)
#
@@ -1265,6 +1278,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
%patch196 -p1
%patch197 -p1
%patch198 -p1
+%patch199 -p1
# This shouldn't be necesarry, but is right now (2.2a3)
@@ -2094,6 +2108,10 @@ rm -fr %{buildroot}
# ======================================================
%changelog
+* Fri Apr 10 2015 Robert Kuska <rkuska at redhat.com> - 2.7.5-16
+- Fix CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib
+Resolves: rhbz#1159200
+
* Mon Nov 03 2014 Slavek Kabrda <bkabrda at redhat.com> - 2.7.5-15
- Fix CVE-2014-4650 - CGIHTTPServer URL handling
Resolves: rhbz#1113528
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/python.git/commit/?h=f20&id=d1cbd06fb0e97e2f40b886c6d7587c72c5bfa901
More information about the scm-commits
mailing list