This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: DoS smtpd module vulnerability
Type: security Stage:
Components: Library (Lib) Versions: Python 3.1, Python 3.2, Python 2.7, Python 2.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: giampaolo.rodola Nosy List: Arfrever, barry, giampaolo.rodola, josiah.carlson
Priority: normal Keywords: patch

Created on 2010-06-30 18:44 by giampaolo.rodola, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
smtpd-dos.patch giampaolo.rodola, 2010-08-21 19:27 review
Messages (11)
msg109003 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-06-30 18:44 
Steps to reproduce the issue:

- in one shell run: "python -m smtpd -n"
- in another one run: "for i in {1..1000};do nmap -sT -p 8025 localhost;done"

The server will print out the following output and just quit (DoS):

giampaolo@ubuntu:~/svn/python-2.7$ ./python -m smtpd -n 
error: uncaptured python exception, closing channel <__main__.PureProxy listening localhost:8025 at 0xb74b0f4c> (<class 'socket.error'>:[Errno 107] Transport endpoint is not connected [/home/giampaolo/svn/python-2.7/Lib/asyncore.py|read|79] [/home/giampaolo/svn/python-2.7/Lib/asyncore.py|handle_read_event|430] [/home/giampaolo/svn/python-2.7/Lib/smtpd.py|handle_accept|296] [/home/giampaolo/svn/python-2.7/Lib/smtpd.py|__init__|124] [/home/giampaolo/svn/python-2.7/Lib/socket.py|meth|222])
giampaolo@ubuntu:~/svn/python-2.7$ 

This is due to issue 6706.
msg109005 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-06-30 19:02 
It would be ideal to solve this issue in asyncore.py by fixing dispatcher.accept() once and for all, but I'm not sure whether this can be done in a fully retro-compatible way in terms of asyncore API.

Alternatively SMTPServer.handle_accept() can be fixed in the same way as pyftpdlib did:
http://code.google.com/p/pyftpdlib/source/browse/tags/release-0.5.2/pyftpdlib/ftpserver.py#622

   def handle_accept(self)
       try:
            sock, addr = self.accept()
        except TypeError:
            # sometimes accept() might return None
            return
        except socket.error, err:
            # ECONNABORTED might be thrown
            if err[0] != errno.ECONNABORTED:
                raise
            return
        else:
            # sometimes addr == None instead of (ip, port)
            if addr == None:
                return
msg114552 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-08-21 19:27 
Being not easy to patch asyncore in a retro-compatible way here's a patch for smtpd instead which can be applied to python 2.7, 3.1 and 3.2.
Tested with nmap as shown in my first message on both Linux and FreeBSD and not exceptions are raised.
msg114755 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-08-23 22:49 
Fixed in r84289.
msg115613 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * (Python triager) Date: 2010-09-04 20:26 
Security fixes are allowed in 2.6 branch, so could you backport the fix also to 2.6 branch?
msg115705 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-09-06 14:06 
This is already in 2.6 branch.
msg115901 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * (Python triager) Date: 2010-09-08 21:01 
No, it isn't in 2.6 branch.
msg115906 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-09-08 21:54 
You're right, I'm sorry. I looked at "Versions" field which has 2.6 set but it's not correct.
msg115908 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-09-08 22:12 
Reopening. I'll backport this at some point during this week, I hope.
msg123555 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2010-12-07 15:21 
I'm okay classifying this as a security bug that should be fixed in the 2.6 tree.
msg123576 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-12-07 18:55 
Fixed for Python 2.6 in r87123.
Closing out as fixed.
History
Date User Action Args
2022-04-11 14:57:03adminsetgithub: 53375
2010-12-07 18:55:49giampaolo.rodolasetstatus: open -> closed
resolution: fixed
messages: + msg123576
2010-12-07 15:21:17barrysetmessages: + msg123555
2010-09-08 22:12:33giampaolo.rodolasetstatus: closed -> open
resolution: fixed -> (no value)
messages: + msg115908
2010-09-08 21:54:30giampaolo.rodolasetmessages: + msg115906
2010-09-08 21:01:16Arfreversetmessages: + msg115901
2010-09-06 14:06:22giampaolo.rodolasetmessages: + msg115705
2010-09-04 20:26:02Arfreversetmessages: + msg115613
versions: + Python 2.6
2010-08-24 15:06:33Arfreversetnosy: + Arfrever
2010-08-23 22:49:51giampaolo.rodolasetstatus: open -> closed
resolution: fixed
messages: + msg114755
2010-08-21 19:27:44giampaolo.rodolasetfiles: + smtpd-dos.patch

assignee: giampaolo.rodola
versions: - Python 2.6
keywords: + patch
nosy: + barry

messages: + msg114552
2010-06-30 19:02:53giampaolo.rodolasetnosy: + josiah.carlson
messages: + msg109005
2010-06-30 18:44:25giampaolo.rodolacreate