]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 06d7f90) | patch
python3: CVE-2018-1061
authorSinan Kaya <okaya@kernel.org>
Fri, 5 Oct 2018 00:39:08 +0000 (00:39 +0000)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Thu, 18 Oct 2018 10:08:45 +0000 (11:08 +0100)
commit1461bcc72e6649920ecf4226e006e5667c48a21c
tree972844d226bcab3945623e3c6c2b688df0edd483tree | snapshot
parent06d7f9039b005c2112e28336ac1c30e5120ec815commit | diff
python3: CVE-2018-1061

* CVE-2018-1060
Prevent low-grade poplib REDOS:
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

* CVE-2018-1061
Prevent difflib REDOS
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.

Affects < 3.5.6rc1

CVE: CVE-2018-1060
CVE: CVE-2018-1061
Ref: https://access.redhat.com/security/cve/cve-2018-1060
Ref: https://access.redhat.com/security/cve/cve-2018-1061

Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta/recipes-devtools/python/python3/CVE-2018-1061.patch [new file with mode: 0644] blob
meta/recipes-devtools/python/python3_3.5.5.bb diff | blob | history
Mirror of the official openembedded-core repository