smtplib unlimited read

The smtplib module doesn’t limit the amount of read data in its call to readline(). An erroneous or malicious SMTP server can trick the smtplib module to consume large amounts of memory.

Dates:

  • Disclosure date: 2012-09-25 (Python issue bpo-16042 reported)
  • Red Hat impact: Moderate

Fixed In

Python issue

smtplib: unlimited readline() from connection.

  • Python issue: bpo-16042
  • Creation date: 2012-09-25
  • Reporter: Christian Heimes

CVE-2013-1752

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.

Timeline

Timeline using the disclosure date 2012-09-25 as reference:

  • 2012-09-25: Python issue bpo-16042 reported by Christian Heimes
  • 2014-09-30 (+735 days): commit 210ee47 (branch 3.2)
  • 2014-10-11 (+746 days): Python 3.2.6 released
  • 2014-12-06 (+802 days): commit dabfc56 (branch 2.7)
  • 2014-12-10 (+806 days): Python 2.7.9 released
  • 2015-02-23 (+881 days): Python 3.4.3 released
  • 2015-09-09: Python 3.5.0 released
  • 2017-09-19 (+1820 days): Python 3.3.7 released
  • 2019-06-03 (+2442 days): CVE-2013-1752 published