.. _ftplib-unlimited-read:

ftplib unlimited read
=====================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-1752>`_.

ftplib: unlimited read from connection.

Dates:

* Disclosure date: **2012-09-25** (Python issue bpo-16038 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.6** (2013-11-10) fixed by `commit 2585e1e (branch 2.7) <https://github.com/python/cpython/commit/2585e1e48abb3013abeb8a1fe9dccb5f79ac4091>`_ (2013-10-20)
* Python **3.2.6** (2014-10-12) fixed by `commit c9cb18d (branch 3.2) <https://github.com/python/cpython/commit/c9cb18d3f7e5bf03220c213183ff0caa75905bdd>`_ (2014-09-30)
* Python **3.3.3** (2013-11-17) fixed by `commit c30b178 (branch 3.3) <https://github.com/python/cpython/commit/c30b178cbc92e62c22527cd7e1af2f02723ba679>`_ (2013-10-20)
* Python **3.4.0** (2014-03-16) fixed by `commit c30b178 (branch 3.3) <https://github.com/python/cpython/commit/c30b178cbc92e62c22527cd7e1af2f02723ba679>`_ (2013-10-20)

Python issue
------------

ftplib: unlimited readline() from connection.

* Python issue: `bpo-16038 <https://bugs.python.org/issue16038>`_
* Creation date: 2012-09-25
* Reporter: Christian Heimes

CVE-2013-1752
-------------

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.

* CVE ID: `CVE-2013-1752 <https://nvd.nist.gov/vuln/detail/CVE-2013-1752/>`_
* Published: 2019-06-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2012-09-25** as reference:

* 2012-09-25: `Python issue bpo-16038 <https://bugs.python.org/issue16038>`_ reported by Christian Heimes
* 2013-10-20 (**+390 days**): `commit 2585e1e (branch 2.7) <https://github.com/python/cpython/commit/2585e1e48abb3013abeb8a1fe9dccb5f79ac4091>`_
* 2013-10-20 (**+390 days**): `commit c30b178 (branch 3.3) <https://github.com/python/cpython/commit/c30b178cbc92e62c22527cd7e1af2f02723ba679>`_
* 2013-11-10 (**+411 days**): Python 2.7.6 released
* 2013-11-17 (**+418 days**): Python 3.3.3 released
* 2014-03-16: Python 3.4.0 released
* 2014-09-30 (**+735 days**): `commit c9cb18d (branch 3.2) <https://github.com/python/cpython/commit/c9cb18d3f7e5bf03220c213183ff0caa75905bdd>`_
* 2014-10-12 (**+747 days**): Python 3.2.6 released
* 2019-06-03 (**+2442 days**): CVE-2013-1752 published

Links
-----

* https://access.redhat.com/security/cve/cve-2013-1752