.. _difflib-poplib-backtracking:

difflib and poplib catastrophic backtracking
============================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
These regexes formed potential DOS vectors (REDOS). They have been
refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by **Jamie Davis**.

Dates:

* Disclosure date: **2018-03-02** (Python issue bpo-32981 reported)

Fixed In
--------

* Python **2.7.15** (2018-04-29) fixed by `commit e052d40 (branch 2.7) <https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2>`_ (2018-03-04)
* Python **3.4.9** (2018-08-02) fixed by `commit 942cc04 (branch 3.4) <https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0>`_ (2018-03-11)
* Python **3.5.6** (2018-08-02) fixed by `commit 937ac1f (branch 3.5) <https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b>`_ (2018-03-11)
* Python **3.6.5** (2018-03-28) fixed by `commit c951675 (branch 3.6) <https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523>`_ (2018-03-04)
* Python **3.7.0** (2018-06-27) fixed by `commit 0902a2d (branch 3.7) <https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143>`_ (2018-03-04)

Python issue
------------

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

* Python issue: `bpo-32981 <https://bugs.python.org/issue32981>`_
* Creation date: 2018-03-02
* Reporter: James Davis

CVE-2018-1060
-------------

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

* CVE ID: `CVE-2018-1060 <https://nvd.nist.gov/vuln/detail/CVE-2018-1060/>`_
* Published: 2018-06-18
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

CVE-2018-1061
-------------

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.

* CVE ID: `CVE-2018-1061 <https://nvd.nist.gov/vuln/detail/CVE-2018-1061/>`_
* Published: 2018-06-19
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2018-03-02** as reference:

* 2018-03-02: `Python issue bpo-32981 <https://bugs.python.org/issue32981>`_ reported by James Davis
* 2018-03-04 (**+2 days**): `commit 0902a2d (branch 3.7) <https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143>`_
* 2018-03-04 (**+2 days**): `commit c951675 (branch 3.6) <https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523>`_
* 2018-03-04 (**+2 days**): `commit e052d40 (branch 2.7) <https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2>`_
* 2018-03-11 (**+9 days**): `commit 937ac1f (branch 3.5) <https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b>`_
* 2018-03-11 (**+9 days**): `commit 942cc04 (branch 3.4) <https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0>`_
* 2018-03-28 (**+26 days**): Python 3.6.5 released
* 2018-04-29 (**+58 days**): Python 2.7.15 released
* 2018-06-18 (**+108 days**): CVE-2018-1060 published
* 2018-06-19 (**+109 days**): CVE-2018-1061 published
* 2018-06-27: Python 3.7.0 released
* 2018-08-02 (**+153 days**): Python 3.4.9 released
* 2018-08-02 (**+153 days**): Python 3.5.6 released

Links
-----

* https://nvd.nist.gov/vuln/detail/CVE-2018-1060/
* https://nvd.nist.gov/vuln/detail/CVE-2018-1061/