Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 495224 (CVE-2013-1752)

Summary: <dev-lang/python-{2.7.7,3.2.5-r6,3.3.4}: multiple unbound readline() DoS flaws in python stdlib (CVE-2013-1752)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1046174
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 497758    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-12-24 12:03:27 UTC 
From ${URL} :

Multiple denial of service flaws were reported against various parts of Python's stdlib:

* httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4])
* ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8])
* imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11])
* nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15])
* poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18])
* smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x)

Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can 
all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 
2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions).  So this will likely require MITRE to 
detangle.


[1] http://bugs.python.org/issue16037
[2] http://hg.python.org/cpython/rev/8a22a2804a66/
[3] http://hg.python.org/cpython/rev/582e5072ff89
[4] http://hg.python.org/cpython/rev/e445d02e5306/
[5] http://bugs.python.org/issue16038
[6] http://hg.python.org/cpython/rev/44ac81e6d584/
[7] http://hg.python.org/cpython/rev/8b19e7d0be45/
[8] http://hg.python.org/cpython/rev/38db4d0726bd/
[9] http://bugs.python.org/issue16039
[10] http://hg.python.org/cpython/rev/4190568ceda0/
[11] http://hg.python.org/cpython/rev/4b0364fc5711/
[12] http://bugs.python.org/issue16040
[13] http://hg.python.org/cpython/rev/36680a7c0e22/
[14] http://hg.python.org/cpython/rev/731abf7834c4/
[15] http://hg.python.org/cpython/rev/fc88bd80d925/
[16] http://bugs.python.org/issue16041
[17] http://hg.python.org/cpython/rev/7214e3324a45/
[18] http://hg.python.org/cpython/rev/68029048c9c6/
[19] http://bugs.python.org/issue16042
[20] http://hg.python.org/cpython/rev/8a6def3add5b/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2013-12-25 02:59:51 UTC 
+*python-2.6.9 (25 Dec 2013)
+
+  25 Dec 2013; Mike Gilbert <floppym@gentoo.org> +python-2.6.9.ebuild:
+  Bump for security bug 495224.

I don't have any objection to stabilizing 2.7.6 and 3.3.3. There seem to be a few unpatched issues in 2.7.6, however.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:35:48 UTC 
This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).