mirror of
https://github.com/AdaCore/cpython.git
synced 2026-02-12 12:57:15 -08:00
e052d40cea
* Prevent low-grade poplib REDOS (CVE-2018-1060)
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee235)
Python Misc subdirectory ======================== This directory contains files that wouldn't fit in elsewhere. Some documents are only of historic importance. Files found here ---------------- ACKS Acknowledgements AIX-NOTES Notes for building Python on AIX BeOS-NOTES Notes for building on BeOS BeOS-setup.py setup.py replacement for BeOS, see BeOS-NOTES build.sh Script to build and test latest Python from the repository cheatsheet Quick summary of Python by Ken Manheimer developers.txt A history of who got developer permissions, and why gdbinit Handy stuff to put in your .gdbinit file, if you use gdb HISTORY News from previous releases -- oldest last indent.pro GNU indent profile approximating my C style maintainers.rst A list of maintainers for library modules NEWS News for this release (for some meaning of "this") NEWS.help How to edit NEWS Porting Mini-FAQ on porting to new platforms PURIFY.README Information for Purify users pymemcompat.h Memory interface compatibility file. python-config.in Python script template for python-config python.man UNIX man page for the python interpreter python-mode.el Emacs mode for editing Python programs python.pc.in Package configuration info template for pkg-config python-wing.wpr Wing IDE project file README The file you're reading now README.coverity Information about running Coverity's Prevent on Python README.klocwork Information about running Klocwork's K7 on Python README.OpenBSD Help for building problems on OpenBSD README.valgrind Information for Valgrind users, see valgrind-python.supp RFD Request For Discussion about a Python newsgroup setuid-prog.c C helper program for set-uid Python scripts SpecialBuilds.txt Describes extra symbols you can set for debug builds TextMate A TextMate bundle for Python development valgrind-python.supp Valgrind suppression file, see README.valgrind vgrindefs Python configuration for vgrind (a generic pretty printer) Vim Python development utilities for the Vim editor