Issue2322

classification
Title: CVE-2013-1752 - multiple unbound readline() DoS flaws in python stdlib
Type: security Severity: normal
Components: Library Versions: Jython 2.7
Milestone:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: alex.gronholm Nosy List: alex.gronholm, mbooth, zyasoft
Priority: Keywords:

Created on 2015-04-13.10:21:47 by mbooth, last changed 2015-04-13.23:21:44 by alex.gronholm.

Messages
msg9806 (view) Author: Mat Booth (mbooth) Date: 2015-04-13.10:21:46 
This problem was reported to me in the Red Hat bugzilla here:

https://bugzilla.redhat.com/show_bug.cgi?id=1159201

These problems were fixed in CPython 2.7 in the following commits:

ftplib:  https://hg.python.org/cpython/rev/44ac81e6d584
imaplib: https://hg.python.org/cpython/rev/dd906f4ab923
nntplib: https://hg.python.org/cpython/rev/36680a7c0e22
poplib:  https://hg.python.org/cpython/rev/339f877cca11
smtplib: https://hg.python.org/cpython/rev/923aac88a3cc
httplib: https://hg.python.org/cpython/rev/5e310c6a8520

Please consider back-porting them to Jython 2.7.
msg9807 (view) Author: Jim Baker (zyasoft) Date: 2015-04-13.14:32:01 
These should be changed in Jython as well
msg9815 (view) Author: Jim Baker (zyasoft) Date: 2015-04-13.21:46:10 
Partial fix in https://hg.python.org/jython/rev/415c4a58078e, however, we will have to patch httplib to not use 2.7.9's support for SSLContext until we do that work.

I believe it's just a change here in the code:
https://hg.python.org/jython/rev/415c4a58078e#l2.139
to
https://hg.python.org/jython/rev/415c4a58078e#l2.176
(so __init__, connect, __init__ methods)

and can be done by just using the old implementation of these methods in the patched version in Lib/httplib.py
msg9823 (view) Author: Alex Grönholm (alex.gronholm) Date: 2015-04-13.23:21:44 
Fixed the httplib problem in https://hg.python.org/jython/rev/2e19fbf8ac38 by reverting to an earlier version of the module that does not support custom SSL contexts.
History
Date User Action Args
2015-04-13 23:21:44alex.gronholmsetstatus: open -> closed
resolution: accepted -> fixed
messages: + msg9823
2015-04-13 21:46:26zyasoftsetresolution: fixed -> accepted
2015-04-13 21:46:15zyasoftsetstatus: closed -> open
2015-04-13 21:46:10zyasoftsetmessages: + msg9815
2015-04-13 19:45:18alex.gronholmsetstatus: open -> closed
resolution: fixed
2015-04-13 18:22:44alex.gronholmsetassignee: alex.gronholm
nosy: + alex.gronholm
2015-04-13 14:32:01zyasoftsetnosy: + zyasoft
messages: + msg9807
2015-04-13 10:21:47mboothcreate

Supported by Python Software Foundation,
Powered by Roundup