.. _poplib-unlimited-read:

poplib unlimited read
=====================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-1752>`_.

poplib: unlimited read from connection.

Dates:

* Disclosure date: **2012-09-25** (Python issue bpo-16041 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.9** (2014-12-10) fixed by `commit faad6bb (branch 2.7) <https://github.com/python/cpython/commit/faad6bbea6c86e30c770eb0a3648e2cd52b2e55e>`_ (2014-12-06)
* Python **3.2.6** (2014-10-12) fixed by `commit eaca861 (branch 3.2) <https://github.com/python/cpython/commit/eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e>`_ (2014-09-30)
* Python **3.3.7** (2017-09-19) fixed by `commit eaca861 (branch 3.2) <https://github.com/python/cpython/commit/eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e>`_ (2014-09-30)
* Python **3.4.3** (2015-02-25) fixed by `commit eaca861 (branch 3.2) <https://github.com/python/cpython/commit/eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e>`_ (2014-09-30)
* Python **3.5.0** (2015-09-12) fixed by `commit eaca861 (branch 3.2) <https://github.com/python/cpython/commit/eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e>`_ (2014-09-30)

Python issue
------------

poplib: unlimited readline() from connection.

* Python issue: `bpo-16041 <https://bugs.python.org/issue16041>`_
* Creation date: 2012-09-25
* Reporter: Christian Heimes

CVE-2013-1752
-------------

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.

* CVE ID: `CVE-2013-1752 <https://nvd.nist.gov/vuln/detail/CVE-2013-1752/>`_
* Published: 2019-06-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2012-09-25** as reference:

* 2012-09-25: `Python issue bpo-16041 <https://bugs.python.org/issue16041>`_ reported by Christian Heimes
* 2014-09-30 (**+735 days**): `commit eaca861 (branch 3.2) <https://github.com/python/cpython/commit/eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e>`_
* 2014-10-12 (**+747 days**): Python 3.2.6 released
* 2014-12-06 (**+802 days**): `commit faad6bb (branch 2.7) <https://github.com/python/cpython/commit/faad6bbea6c86e30c770eb0a3648e2cd52b2e55e>`_
* 2014-12-10 (**+806 days**): Python 2.7.9 released
* 2015-02-25 (**+883 days**): Python 3.4.3 released
* 2015-09-12: Python 3.5.0 released
* 2017-09-19 (**+1820 days**): Python 3.3.7 released
* 2019-06-03 (**+2442 days**): CVE-2013-1752 published

Links
-----

* https://access.redhat.com/security/cve/cve-2013-1752