.. _email-fold-dos: Email folding function Denial-of-Service ======================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. The email folding function enters an infinite loop if a header is longer than the policy maximum line length and contains many non-ASCII characters. Regression introduced in Python 3.6.4. Dates: * Disclosure date: **2018-05-16** (Python issue bpo-33529 reported) Fixed In -------- * Python **3.6.9** (2019-07-02) fixed by `commit 516a6a2 (branch 3.6) `_ (2019-06-18) * Python **3.7.4** (2019-07-08) fixed by `commit 2fef5b0 (branch 3.7) `_ (2019-05-14) * Python **3.8.0** (2019-10-14) fixed by `commit c1f5667 (branch 3.8) `_ (2019-05-14) Python issue ------------ [security] Infinite loop on folding email (_fold_as_ew()) if an header has no spaces. * Python issue: `bpo-33529 `_ * Creation date: 2018-05-16 * Reporter: Rad164 Timeline -------- Timeline using the disclosure date **2018-05-16** as reference: * 2018-05-16: `Python issue bpo-33529 `_ reported by Rad164 * 2019-05-14 (**+363 days**): `commit 2fef5b0 (branch 3.7) `_ * 2019-05-14 (**+363 days**): `commit c1f5667 (branch 3.8) `_ * 2019-06-18 (**+398 days**): `commit 516a6a2 (branch 3.6) `_ * 2019-07-02 (**+412 days**): Python 3.6.9 released * 2019-07-08 (**+418 days**): Python 3.7.4 released * 2019-10-14: Python 3.8.0 released