Limit imaplib.IMAP4_SSL.readline()

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The imaplib module doesn’t limit the amount of read data in its call to IMAP4_SSL.readline(). An erroneous or malicious IMAP server can trick the imaplib module to consume large amounts of memory.

Dates:

• Disclosure date: 2012-09-25 (Python issue bpo-16039 reported)

Fixed In

• Python 2.7.16 (2019-03-02) fixed by commit 16d6320 (branch 2.7) (2018-12-12)

Python issue

imaplib: unlimited readline() from connection.

• Python issue: bpo-16039
• Creation date: 2012-09-25
• Reporter: Christian Heimes

CVE-2013-1752

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.

• CVE ID: CVE-2013-1752
• Published: 2019-06-03
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2012-09-25 as reference:

• 2012-09-25: Python issue bpo-16039 reported by Christian Heimes
• 2018-12-12 (+2269 days): commit 16d6320 (branch 2.7)
• 2019-03-02 (+2349 days): Python 2.7.16 released
• 2019-06-03 (+2442 days): CVE-2013-1752 published