ftplib unlimited read¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
ftplib: unlimited read from connection.
Dates:
- Disclosure date: 2012-09-25 (Python issue bpo-16038 reported)
- Red Hat impact: Moderate
Fixed In¶
- Python 2.7.6 (2013-11-10) fixed by commit 2585e1e (branch 2.7) (2013-10-20)
- Python 3.2.6 (2014-10-12) fixed by commit c9cb18d (branch 3.2) (2014-09-30)
- Python 3.3.3 (2013-11-17) fixed by commit c30b178 (branch 3.3) (2013-10-20)
- Python 3.4.0 (2014-03-16) fixed by commit c30b178 (branch 3.3) (2013-10-20)
Python issue¶
ftplib: unlimited readline() from connection.
- Python issue: bpo-16038
- Creation date: 2012-09-25
- Reporter: Christian Heimes
CVE-2013-1752¶
** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.
- CVE ID: CVE-2013-1752
- Published: 2019-06-03
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2012-09-25 as reference:
- 2012-09-25: Python issue bpo-16038 reported by Christian Heimes
- 2013-10-20 (+390 days): commit 2585e1e (branch 2.7)
- 2013-10-20 (+390 days): commit c30b178 (branch 3.3)
- 2013-11-10 (+411 days): Python 2.7.6 released
- 2013-11-17 (+418 days): Python 3.3.3 released
- 2014-03-16: Python 3.4.0 released
- 2014-09-30 (+735 days): commit c9cb18d (branch 3.2)
- 2014-10-12 (+747 days): Python 3.2.6 released
- 2019-06-03 (+2442 days): CVE-2013-1752 published