CVE-2018-1060: difflib and poplib catastrophic backtracking

Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by Jamie Davis.

  • Disclosure date: 2018-03-02 (Python issue bpo-32981 reported)

Fixed In

Vulnerable Versions

  • Python 3.4
  • Python 3.5

Python issue

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

  • Python issue: bpo-32981
  • Creation date: 2018-03-02
  • Reporter: James Davis

Timeline

Timeline using the disclosure date 2018-03-02 as reference: