smtplib unlimited read

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The smtplib module doesn’t limit the amount of read data in its call to readline(). An erroneous or malicious SMTP server can trick the smtplib module to consume large amounts of memory.

Dates:

  • Disclosure date: 2012-09-25 (Python issue bpo-16042 reported)
  • Red Hat impact: Moderate

Fixed In

Python issue

smtplib: unlimited readline() from connection.

  • Python issue: bpo-16042
  • Creation date: 2012-09-25
  • Reporter: Christian Heimes

CVE-2013-1752

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 “Independently Fixable” in the CVE Counting Decisions.

Timeline

Timeline using the disclosure date 2012-09-25 as reference:

  • 2012-09-25: Python issue bpo-16042 reported by Christian Heimes
  • 2014-09-30 (+735 days): commit 210ee47 (branch 3.2)
  • 2014-10-12 (+747 days): Python 3.2.6 released
  • 2014-12-06 (+802 days): commit dabfc56 (branch 2.7)
  • 2014-12-10 (+806 days): Python 2.7.9 released
  • 2015-02-25 (+883 days): Python 3.4.3 released
  • 2015-09-12: Python 3.5.0 released
  • 2017-09-19 (+1820 days): Python 3.3.7 released
  • 2019-06-03 (+2442 days): CVE-2013-1752 published