difflib and poplib catastrophic backtracking

Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by Jamie Davis.

  • Disclosure date: 2018-03-02 (Python issue bpo-32981 reported)

Fixed In

Python issue

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

  • Python issue: bpo-32981
  • Creation date: 2018-03-02
  • Reporter: James Davis

CVE-2018-1060

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib’s apop() method. An attacker could use this flaw to cause denial of service.

CVE-2018-1061

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

Timeline

Timeline using the disclosure date 2018-03-02 as reference: