CVE-2013-1752: smtplib unlimited read

The smtplib module doesn’t limit the amount of read data in its call to readline(). An erroneous or malicious SMTP server can trick the smtplib module to consume large amounts of memory.

  • Disclosure date: 2012-09-25 (Python issue #16042 reported)
  • Red Hat impact: Moderate

Fixed In

Vulnerable Versions

  • Python 3.3

Python issue

smtplib: unlimited readline() from connection.

  • Python issue: issue #16042
  • Creation date: 2012-09-25
  • Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2012-09-25 as reference:

  • 2012-09-25: Python issue #16042 reported by Christian Heimes
  • 2014-09-30 (+735 days): commit 210ee47
  • 2014-10-11 (+746 days): Python 3.2.6 released
  • 2014-12-06 (+802 days): commit dabfc56
  • 2014-12-10 (+806 days): Python 2.7.9 released
  • 2015-02-23 (+881 days): Python 3.4.3 released
  • 2015-09-09: Python 3.5.0 released