classification
Title: nntplib: unlimited readline() from connection
Type: resource usage Stage: resolved
Components: Library (Lib) Versions: Python 3.1, Python 3.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Arfrever, barry, benjamin.peterson, christian.heimes, francismb, georg.brandl, giampaolo.rodola, hynek, larry, nailor, python-dev, terry.reedy
Priority: release blocker Keywords: patch

Created on 2012-09-25 10:38 by christian.heimes, last changed 2014-10-12 07:17 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
issue16040_py26.patch nailor, 2013-09-30 21:02 review
issue16040_py26_v2.patch nailor, 2013-09-30 21:43 review
issue16040_py32.patch nailor, 2013-10-24 19:58 review
Messages (23)
msg171243 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2012-09-25 10:38
This bug is similar to #16037 and a modified copy of #16038.

The nntplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious news server can trick the nntplib module to consume large amounts of memory.

Suggestion:
The nntplib module should be modified to use limited readline() with _MAXLINE like the httplib module.
msg172291 - (view) Author: Hynek Schlawack (hynek) * (Python committer) Date: 2012-10-07 11:05
Any suggestions on the value for _MAXLINE or just steal the 64k from httplib?
msg182190 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-15 23:42
RFC 3977 specifies:

  Command lines MUST NOT exceed 512 octets, which includes
  the terminating CRLF pair.

However NNTP also have multi-line data blocks. The RFC says nothing about the maximum length of a data line. We may need two limits here, one for command lines (2048 perhaps) and one much larger for data lines (a couple of MB?).

Can somebody check other implementations?
msg182197 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-15 23:59
CVE-2013-1752  Unbound readline() DoS vulnerabilities in Python stdlib
msg185059 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2013-03-23 14:45
Not blocking 2.7.4 as discussed on mailing list.
msg196859 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2013-09-03 18:34
blocker for 2.6.9
msg197781 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2013-09-15 16:21
Any more thoughts on this bug w.r.t. 2.6.9?  It seems that without a patch for any version of Python, and with 2.6.9 coming soon, a fix for this just won't make it into 2.6.9.  

That doesn't bother me too much, and I'm willing to just knock this off the 2.6.9 radar unless objections (accompanied by patches? :) are raised.
msg198739 - (view) Author: Jyrki Pulliainen (nailor) * Date: 2013-09-30 21:02
Regarding the implementation: all commands (even those returning multiple lines), use the same readline method.

I've attached a patch for 2.6, working on the 2.7+ too.
msg198740 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2013-09-30 21:07
Looks great, thanks!  I'll apply this to 2.6.9 but let others forward port it to 2.7.
msg198741 - (view) Author: Jyrki Pulliainen (nailor) * Date: 2013-09-30 21:12
The patch for 2.6 applies cleanly on 2.7 too and the tests pass there
msg198742 - (view) Author: Jyrki Pulliainen (nailor) * Date: 2013-09-30 21:43
Did a slight change to the patch, making the too long line to look like a valid line so that it does not raise a NNTPProtocolError otherwise. Thanks to Barry for catching this :)

I also wonder if there should be data error risen instead? Current docstrings of the errors are not that well fit.
msg198745 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2013-09-30 22:44
On Sep 30, 2013, at 09:43 PM, Jyrki Pulliainen wrote:

>I also wonder if there should be data error risen instead? Current docstrings
>of the errors are not that well fit.

I guess a data error makes the least nonsense here, so I'll change it over to
that.  I'm happy to entertain other thoughts (except for introducing a new
exception of course) before 2.6.9 final.
msg198746 - (view) Author: Roundup Robot (python-dev) Date: 2013-09-30 23:10
New changeset 731abf7834c4 by Barry Warsaw in branch '2.6':
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
http://hg.python.org/cpython/rev/731abf7834c4

New changeset 36680a7c0e22 by Barry Warsaw in branch '2.7':
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
http://hg.python.org/cpython/rev/36680a7c0e22
msg198777 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * Date: 2013-10-01 13:44
> New changeset 731abf7834c4 by Barry Warsaw in branch '2.6':
> - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
> http://hg.python.org/cpython/rev/731abf7834c4
> 
> New changeset 36680a7c0e22 by Barry Warsaw in branch '2.7':
> - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
> http://hg.python.org/cpython/rev/36680a7c0e22

s/lenght/length/ in new comment in Lib/nntplib.py
msg198791 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2013-10-01 15:40
On Oct 01, 2013, at 01:44 PM, Arfrever Frehtes Taifersar Arahesis wrote:

>s/lenght/length/ in new comment in Lib/nntplib.py

Fixed, thanks.
msg200351 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2013-10-19 01:23
Ping.  Please fix before "beta 1".
msg201172 - (view) Author: Jyrki Pulliainen (nailor) * Date: 2013-10-24 19:58
...and here's a patch for 3.2
msg201425 - (view) Author: Roundup Robot (python-dev) Date: 2013-10-27 06:39
New changeset fc88bd80d925 by Georg Brandl in branch '3.3':
Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
http://hg.python.org/cpython/rev/fc88bd80d925
msg201428 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2013-10-27 06:45
Also merged to default.
msg222501 - (view) Author: Francis MB (francismb) * Date: 2014-07-07 19:27
Just a small detail on the patches, they seem to have a typo
(lenght vs. length) on the line:

>> reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
msg222625 - (view) Author: Roundup Robot (python-dev) Date: 2014-07-09 17:16
New changeset 5be778fec115 by Berker Peksag in branch '3.4':
Issues #21948 and #16040: Fix typos.
http://hg.python.org/cpython/rev/5be778fec115

New changeset 051cc4f60384 by Berker Peksag in branch 'default':
Issues #21948 and #16040: Merge with 3.4.
http://hg.python.org/cpython/rev/051cc4f60384
msg226118 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2014-08-30 03:54
3.1 is finished and Georg decided to skip 3.2.
msg229122 - (view) Author: Roundup Robot (python-dev) Date: 2014-10-12 07:17
New changeset 985bda4edf9d by Georg Brandl in branch '3.2':
#16040: fix unlimited read from connection in nntplib.
https://hg.python.org/cpython/rev/985bda4edf9d
History
Date User Action Args
2014-10-12 07:17:06python-devsetmessages: + msg229122
2014-08-30 03:54:57terry.reedysetstatus: open -> closed

nosy: + terry.reedy
messages: + msg226118

resolution: fixed
stage: needs patch -> resolved
2014-07-09 17:16:33python-devsetmessages: + msg222625
2014-07-07 19:27:21francismbsetnosy: + francismb
messages: + msg222501
2013-10-27 06:45:50georg.brandlsetmessages: + msg201428
versions: - Python 3.3, Python 3.4
2013-10-27 06:39:04python-devsetmessages: + msg201425
2013-10-24 19:58:14nailorsetfiles: + issue16040_py32.patch

messages: + msg201172
2013-10-19 01:23:16larrysetmessages: + msg200351
2013-10-01 15:40:03barrysetmessages: + msg198791
2013-10-01 13:44:54Arfreversetmessages: + msg198777
2013-09-30 23:11:57barrysetversions: - Python 2.7
2013-09-30 23:11:23barrysetversions: - Python 2.6
2013-09-30 23:10:13python-devsetnosy: + python-dev
messages: + msg198746
2013-09-30 22:44:21barrysetmessages: + msg198745
2013-09-30 21:43:48nailorsetfiles: + issue16040_py26_v2.patch

messages: + msg198742
2013-09-30 21:12:58nailorsetmessages: + msg198741
2013-09-30 21:07:44barrysetmessages: + msg198740
2013-09-30 21:02:23nailorsetfiles: + issue16040_py26.patch

nosy: + nailor
messages: + msg198739

keywords: + patch
2013-09-15 19:44:01Arfreversetversions: + Python 2.6, Python 3.1
2013-09-15 16:21:49barrysetmessages: + msg197781
2013-09-03 18:34:01barrysetpriority: critical -> release blocker
nosy: + barry
messages: + msg196859

2013-03-23 14:45:57benjamin.petersonsetpriority: release blocker -> critical

messages: + msg185059
2013-02-22 23:47:40Arfreversetnosy: + Arfrever
2013-02-15 23:59:15christian.heimessetmessages: + msg182197
2013-02-15 23:42:22christian.heimessetmessages: + msg182190
stage: needs patch
2013-02-04 17:11:21christian.heimessetpriority: critical -> release blocker
nosy: + larry, benjamin.peterson, georg.brandl
2013-01-21 11:37:14giampaolo.rodolasetnosy: + giampaolo.rodola
2013-01-20 14:38:02christian.heimessetpriority: normal -> critical
assignee: christian.heimes
versions: + Python 3.4
2012-10-07 11:05:26hyneksetmessages: + msg172291
2012-09-26 04:27:41hyneksetnosy: + hynek
2012-09-25 10:38:44christian.heimescreate