nntplib unlimited read

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Unlimited read from connection in nntplib.

Dates:

  • Disclosure date: 2012-09-25 (Python issue bpo-16040 reported)
  • Red Hat impact: Moderate

Fixed In

Python issue

nntplib: unlimited readline() from connection.

  • Python issue: bpo-16040
  • Creation date: 2012-09-25
  • Reporter: Christian Heimes

CVE-2013-1752

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.

Timeline

Timeline using the disclosure date 2012-09-25 as reference:

  • 2012-09-25: Python issue bpo-16040 reported by Christian Heimes
  • 2013-09-30 (+370 days): commit 42faa55 (branch 2.7)
  • 2013-10-29 (+399 days): Python 2.6.9 released
  • 2013-11-10 (+411 days): Python 2.7.6 released
  • 2014-10-12 (+747 days): commit b3ac843 (branch 3.2)
  • 2014-10-12 (+747 days): Python 3.2.6 released
  • 2015-02-25 (+883 days): Python 3.4.3 released
  • 2015-09-12: Python 3.5.0 released
  • 2017-09-19 (+1820 days): Python 3.3.7 released
  • 2019-06-03 (+2442 days): CVE-2013-1752 published