.. _smtplib-unlimited-read:

smtplib unlimited read
======================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-1752>`_.

The smtplib module doesn't limit the amount of read data in
its call to readline(). An erroneous or malicious SMTP server can trick the
smtplib module to consume large amounts of memory.

Dates:

* Disclosure date: **2012-09-25** (Python issue bpo-16042 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.9** (2014-12-10) fixed by `commit dabfc56 (branch 2.7) <https://github.com/python/cpython/commit/dabfc56b57f5086eb5522d8e6cd7670c62d2482d>`_ (2014-12-06)
* Python **3.2.6** (2014-10-12) fixed by `commit 210ee47 (branch 3.2) <https://github.com/python/cpython/commit/210ee47e3340d8e689d8cce584e7c918d368f16b>`_ (2014-09-30)
* Python **3.3.7** (2017-09-19) fixed by `commit 210ee47 (branch 3.2) <https://github.com/python/cpython/commit/210ee47e3340d8e689d8cce584e7c918d368f16b>`_ (2014-09-30)
* Python **3.4.3** (2015-02-25) fixed by `commit 210ee47 (branch 3.2) <https://github.com/python/cpython/commit/210ee47e3340d8e689d8cce584e7c918d368f16b>`_ (2014-09-30)
* Python **3.5.0** (2015-09-12) fixed by `commit 210ee47 (branch 3.2) <https://github.com/python/cpython/commit/210ee47e3340d8e689d8cce584e7c918d368f16b>`_ (2014-09-30)

Python issue
------------

smtplib: unlimited readline() from connection.

* Python issue: `bpo-16042 <https://bugs.python.org/issue16042>`_
* Creation date: 2012-09-25
* Reporter: Christian Heimes

CVE-2013-1752
-------------

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.

* CVE ID: `CVE-2013-1752 <https://nvd.nist.gov/vuln/detail/CVE-2013-1752/>`_
* Published: 2019-06-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2012-09-25** as reference:

* 2012-09-25: `Python issue bpo-16042 <https://bugs.python.org/issue16042>`_ reported by Christian Heimes
* 2014-09-30 (**+735 days**): `commit 210ee47 (branch 3.2) <https://github.com/python/cpython/commit/210ee47e3340d8e689d8cce584e7c918d368f16b>`_
* 2014-10-12 (**+747 days**): Python 3.2.6 released
* 2014-12-06 (**+802 days**): `commit dabfc56 (branch 2.7) <https://github.com/python/cpython/commit/dabfc56b57f5086eb5522d8e6cd7670c62d2482d>`_
* 2014-12-10 (**+806 days**): Python 2.7.9 released
* 2015-02-25 (**+883 days**): Python 3.4.3 released
* 2015-09-12: Python 3.5.0 released
* 2017-09-19 (**+1820 days**): Python 3.3.7 released
* 2019-06-03 (**+2442 days**): CVE-2013-1752 published

Links
-----

* https://access.redhat.com/security/cve/cve-2013-1752