Staging
v0.8.1
v0.8.1
Revision c9516754067d71fd7429a25ccfcb2141fc583523 authored by Benjamin Peterson on 04 March 2018, 06:59:12 UTC, committed by GitHub on 04 March 2018, 06:59:12 UTC
* Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
1 parent bd92cfe
File | Mode | Size |
---|---|---|
.github | ||
Doc | ||
Grammar | ||
Include | ||
Lib | ||
Mac | ||
Misc | ||
Modules | ||
Objects | ||
PC | ||
PCbuild | ||
Parser | ||
Programs | ||
Python | ||
Tools | ||
.bzrignore | -rw-r--r-- | 582 bytes |
.gitattributes | -rw-r--r-- | 798 bytes |
.gitignore | -rw-r--r-- | 1.3 KB |
.hgignore | -rw-r--r-- | 1.3 KB |
.travis.yml | -rw-r--r-- | 4.9 KB |
LICENSE | -rw-r--r-- | 12.5 KB |
Makefile.pre.in | -rw-r--r-- | 59.6 KB |
README.rst | -rw-r--r-- | 9.1 KB |
aclocal.m4 | -rw-r--r-- | 13.0 KB |
config.guess | -rwxr-xr-x | 43.2 KB |
config.sub | -rwxr-xr-x | 35.7 KB |
configure | -rwxr-xr-x | 478.4 KB |
configure.ac | -rw-r--r-- | 159.0 KB |
install-sh | -rwxr-xr-x | 7.0 KB |
pyconfig.h.in | -rw-r--r-- | 41.2 KB |
setup.py | -rw-r--r-- | 102.1 KB |
Computing file changes ...