difflib and poplib catastrophic backtracking

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by Jamie Davis.

Dates:

• Disclosure date: 2018-03-02 (Python issue bpo-32981 reported)

Fixed In

• Python 2.7.15 (2018-04-29) fixed by commit e052d40 (branch 2.7) (2018-03-04)
• Python 3.4.9 (2018-08-02) fixed by commit 942cc04 (branch 3.4) (2018-03-11)
• Python 3.5.6 (2018-08-02) fixed by commit 937ac1f (branch 3.5) (2018-03-11)
• Python 3.6.5 (2018-03-28) fixed by commit c951675 (branch 3.6) (2018-03-04)
• Python 3.7.0 (2018-06-27) fixed by commit 0902a2d (branch 3.7) (2018-03-04)

Python issue

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

• Python issue: bpo-32981
• Creation date: 2018-03-02
• Reporter: James Davis

CVE-2018-1060

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib’s apop() method. An attacker could use this flaw to cause denial of service.

• CVE ID: CVE-2018-1060
• Published: 2018-06-18
• CVSS Score: 5.0

CVE-2018-1061

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

• CVE ID: CVE-2018-1061
• Published: 2018-06-19
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2018-03-02 as reference:

• 2018-03-02: Python issue bpo-32981 reported by James Davis
• 2018-03-04 (+2 days): commit 0902a2d (branch 3.7)
• 2018-03-04 (+2 days): commit c951675 (branch 3.6)
• 2018-03-04 (+2 days): commit e052d40 (branch 2.7)
• 2018-03-11 (+9 days): commit 937ac1f (branch 3.5)
• 2018-03-11 (+9 days): commit 942cc04 (branch 3.4)
• 2018-03-28 (+26 days): Python 3.6.5 released
• 2018-04-29 (+58 days): Python 2.7.15 released
• 2018-06-18 (+108 days): CVE-2018-1060 published
• 2018-06-19 (+109 days): CVE-2018-1061 published
• 2018-06-27: Python 3.7.0 released
• 2018-08-02 (+153 days): Python 3.4.9 released
• 2018-08-02 (+153 days): Python 3.5.6 released

Links

• https://nvd.nist.gov/vuln/detail/CVE-2018-1060/
• https://nvd.nist.gov/vuln/detail/CVE-2018-1061/