Staging
v0.5.1
v0.5.1
https://github.com/python/cpython
Revision 942cc04ae44825ea120e3a19a80c9b348b8194d0 authored by Ned Deily on 11 March 2018, 18:28:53 UTC, committed by larryhastings on 11 March 2018, 18:28:53 UTC
* Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>.
1 parent f584ecd
Tip revision: 942cc04ae44825ea120e3a19a80c9b348b8194d0 authored by Ned Deily on 11 March 2018, 18:28:53 UTC
[3.4] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) (#6035)
[3.4] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) (#6035)
Tip revision: 942cc04
| File | Mode | Size |
|---|---|---|
| buildbot | ||
| ccbench | ||
| clinic | ||
| demo | ||
| freeze | ||
| gdb | ||
| hg | ||
| i18n | ||
| importbench | ||
| iobench | ||
| msi | ||
| parser | ||
| pybench | ||
| pynche | ||
| scripts | ||
| ssl | ||
| stringbench | ||
| test2to3 | ||
| unicode | ||
| unittestgui | ||
| README | -rw-r--r-- | 1.9 KB |
Computing file changes ...
