smtpd accept bug and race condition

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

CVE-2010-3492: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.

CVE-2010-3493: Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.

Dates:

• Disclosure date: 2009-08-14 (Python issue bpo-6706 reported)

Fixed In

• Python 2.7.1 (2010-11-27) fixed by commit 19e9fef (branch 2.7) (2010-11-01)
• Python 3.1.3 (2010-11-27) fixed by commit 5ea3d0f (branch 3.1) (2010-11-01)
• Python 3.2.0 (2011-02-20) fixed by commit 977c707 (branch 3.2) (2010-10-04)

Python issue

asyncore’s accept() is broken.

• Python issue: bpo-6706
• Creation date: 2009-08-14
• Reporter: Giampaolo Rodola’

CVE-2010-3492

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.

• CVE ID: CVE-2010-3492
• Published: 2010-10-19
• CVSS Score: 5.0

CVE-2010-3493

Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.

• CVE ID: CVE-2010-3493
• Published: 2010-10-19
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2009-08-14 as reference:

• 2009-08-14: Python issue bpo-6706 reported by Giampaolo Rodola’
• 2010-10-04 (+416 days): commit 977c707 (branch 3.2)
• 2010-10-19 (+431 days): CVE-2010-3492 published
• 2010-10-19 (+431 days): CVE-2010-3493 published
• 2010-11-01 (+444 days): commit 19e9fef (branch 2.7)
• 2010-11-01 (+444 days): commit 5ea3d0f (branch 3.1)
• 2010-11-27 (+470 days): Python 2.7.1 released
• 2010-11-27 (+470 days): Python 3.1.3 released
• 2011-02-20: Python 3.2.0 released

Links

• https://nvd.nist.gov/vuln/detail/CVE-2010-3492/
• https://nvd.nist.gov/vuln/detail/CVE-2010-3493/