Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061) #77162
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2018-03-14.05:23:09.730> created_at = <Date 2018-03-02.00:36:19.854> labels = ['type-security', '3.8', '3.7', 'library'] title = 'Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061)' updated_at = <Date 2019-05-10.18:09:12.303> user = 'https://github.com/davisjam'
activity = <Date 2019-05-10.18:09:12.303> actor = 'ned.deily' assignee = 'none' closed = True closed_date = <Date 2018-03-14.05:23:09.730> closer = 'ned.deily' components = ['Library (Lib)'] creation = <Date 2018-03-02.00:36:19.854> creator = 'davisjam' dependencies =  files =  hgrepos =  issue_num = 32981 keywords = ['patch', 'security_issue'] message_count = 10.0 messages = ['313119', '313198', '313200', '313202', '313203', '313609', '313610', '313611', '313803', '316124'] nosy_count = 6.0 nosy_names = ['tim.peters', 'vstinner', 'larry', 'benjamin.peterson', 'ned.deily', 'davisjam'] pr_nums = ['5955', '5969', '5970', '5971', '6034', '6035'] priority = 'critical' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue32981' versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8']
The text was updated successfully, but these errors were encountered:
Hi Python security team,
My name is James Davis. I'm a security researcher at Virginia Tech.
The python core (cpython) has 2 regular expressions vulnerable to catastrophic backtracking that look like potential DOS vectors.
Each vulnerability has the following keys, explained in more detail below:
The attack format describes how to generate an attack string.
Compose an attack string like this:
Catastrophic backtracking blows up at either an exponential rate or a super-linear (power law) rate.
The fixes are now available from the cpython repo for all current security and maintenance branches (3.4 to 3.7 plus 2.7). They are now released in 3.6.5rc1 and will be available in the next releases of other branches: 3.7.0, 3.5.6, 3.4.9, and 2.7.15.
Thanks again for reporting the issues, James, and helping to resolve them!