-
-
Notifications
You must be signed in to change notification settings - Fork 30.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061) #77162
Comments
Hi Python security team, My name is James Davis. I'm a security researcher at Virginia Tech. The python core (cpython) has 2 regular expressions vulnerable to catastrophic backtracking that look like potential DOS vectors. Each vulnerability has the following keys, explained in more detail below:
The attack format describes how to generate an attack string. Compose an attack string like this: Catastrophic backtracking blows up at either an exponential rate or a super-linear (power law) rate. JSON formatted: Vuln 1: { Vuln 2: { |
Is this ready to close? |
The fixes are now available from the cpython repo for all current security and maintenance branches (3.4 to 3.7 plus 2.7). They are now released in 3.6.5rc1 and will be available in the next releases of other branches: 3.7.0, 3.5.6, 3.4.9, and 2.7.15. Thanks again for reporting the issues, James, and helping to resolve them! |
FYI I tracked this vulnerability at: |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: