CVE-2018-1060: difflib and poplib catastrophic backtracking

Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by Jamie Davis.

  • Disclosure date: 2018-03-02 (Python issue bpo-32981 reported)

Fixed In

Python issue

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

  • Python issue: bpo-32981
  • Creation date: 2018-03-02
  • Reporter: James Davis

Timeline

Timeline using the disclosure date 2018-03-02 as reference:

  • 2018-03-02: Python issue bpo-32981 reported by James Davis
  • 2018-03-04 (+2 days): commit 0902a2d
  • 2018-03-04 (+2 days): commit c951675
  • 2018-03-04 (+2 days): commit e052d40
  • 2018-03-11 (+9 days): commit 937ac1f
  • 2018-03-11 (+9 days): commit 942cc04
  • 2018-03-28 (+26 days): Python 3.6.5 released
  • 2018-04-29 (+58 days): Python 2.7.15 released
  • 2018-06-28: Python 3.7.0 released
  • 2018-08-02 (+153 days): Python 3.4.9 released
  • 2018-08-02 (+153 days): Python 3.5.6 released