.. _nntplib-unlimited-read:

nntplib unlimited read
======================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-1752>`_.

Unlimited read from connection in nntplib.

Dates:

* Disclosure date: **2012-09-25** (Python issue bpo-16040 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.6.9** (2013-10-29) fixed by `commit 42faa55 (branch 2.7) <https://github.com/python/cpython/commit/42faa55124abcbb132c57745dec9e0489ac74406>`_ (2013-09-30)
* Python **2.7.6** (2013-11-10) fixed by `commit 42faa55 (branch 2.7) <https://github.com/python/cpython/commit/42faa55124abcbb132c57745dec9e0489ac74406>`_ (2013-09-30)
* Python **3.2.6** (2014-10-12) fixed by `commit b3ac843 (branch 3.2) <https://github.com/python/cpython/commit/b3ac84322fe6dd542aa755779cdbc155edca8064>`_ (2014-10-12)
* Python **3.3.7** (2017-09-19) fixed by `commit b3ac843 (branch 3.2) <https://github.com/python/cpython/commit/b3ac84322fe6dd542aa755779cdbc155edca8064>`_ (2014-10-12)
* Python **3.4.3** (2015-02-25) fixed by `commit b3ac843 (branch 3.2) <https://github.com/python/cpython/commit/b3ac84322fe6dd542aa755779cdbc155edca8064>`_ (2014-10-12)
* Python **3.5.0** (2015-09-12) fixed by `commit b3ac843 (branch 3.2) <https://github.com/python/cpython/commit/b3ac84322fe6dd542aa755779cdbc155edca8064>`_ (2014-10-12)

Python issue
------------

nntplib: unlimited readline() from connection.

* Python issue: `bpo-16040 <https://bugs.python.org/issue16040>`_
* Creation date: 2012-09-25
* Reporter: Christian Heimes

CVE-2013-1752
-------------

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.

* CVE ID: `CVE-2013-1752 <https://nvd.nist.gov/vuln/detail/CVE-2013-1752/>`_
* Published: 2019-06-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2012-09-25** as reference:

* 2012-09-25: `Python issue bpo-16040 <https://bugs.python.org/issue16040>`_ reported by Christian Heimes
* 2013-09-30 (**+370 days**): `commit 42faa55 (branch 2.7) <https://github.com/python/cpython/commit/42faa55124abcbb132c57745dec9e0489ac74406>`_
* 2013-10-29 (**+399 days**): Python 2.6.9 released
* 2013-11-10 (**+411 days**): Python 2.7.6 released
* 2014-10-12 (**+747 days**): `commit b3ac843 (branch 3.2) <https://github.com/python/cpython/commit/b3ac84322fe6dd542aa755779cdbc155edca8064>`_
* 2014-10-12 (**+747 days**): Python 3.2.6 released
* 2015-02-25 (**+883 days**): Python 3.4.3 released
* 2015-09-12: Python 3.5.0 released
* 2017-09-19 (**+1820 days**): Python 3.3.7 released
* 2019-06-03 (**+2442 days**): CVE-2013-1752 published

Links
-----

* https://access.redhat.com/security/cve/cve-2013-1752