• Jamie Davis's avatar
    bpo-32981: Fix catastrophic backtracking vulns (#5955) · 0e6c8ee2
    Jamie Davis yazdı
    * Prevent low-grade poplib REDOS (CVE-2018-1060)
    
    The regex to test a mail server's timestamp is susceptible to
    catastrophic backtracking on long evil responses from the server.
    
    Happily, the maximum length of malicious inputs is 2K thanks
    to a limit introduced in the fix for CVE-2013-1752.
    
    A 2KB evil response from the mail server would result in small slowdowns
    (milliseconds vs. microseconds) accumulated over many apop calls.
    This is a potential DOS vector via accumulated slowdowns.
    
    Replace it with a similar non-vulnerable regex.
    
    The new regex is RFC compliant.
    The old regex was non-compliant in edge cases.
    
    * Prevent difflib REDOS (CVE-2018-1061)
    
    The default regex for IS_LINE_JUNK is susceptible to
    catastrophic backtracking.
    This is a potential DOS vector.
    
    Replace it with an equivalent non-vulnerable regex.
    
    Also introduce unit and REDOS tests for difflib.
    Co-authored-by: 's avatarTim Peters <tim.peters@gmail.com>
    Co-authored-by: 's avatarChristian Heimes <christian@python.org>
    0e6c8ee2
2018-03-02-10-24-52.bpo-32981.O_qDyj.rst 224 Bytes