X Tutup
The Wayback Machine - https://web.archive.org/web/20241009144850/https://github.com/python/cpython/pull/119514
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-119511: Fix OOM vulnerability in imaplib #119514

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

gh-119511: Fix OOM vulnerability in imaplib #119514

wants to merge 2 commits into from
+24 −1

Conversation

serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented May 24, 2024
edited by bedevere-app bot
Loading

The IMAP4 client could consume an arbitrary amount of memory when trying to connent to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server.

@serhiy-storchaka
pythongh-119511: Fix OOM vulnerability in imaplib
6322049 
The IMAP4 client could consume an arbitrary amount of memory when trying
to connent to a malicious server, because it read a "literal" data with a
single read(size) call, and BufferedReader.read() allocates the bytes
object of the specified size before reading. Now the IMAP4 client reads data
by chunks, therefore the amount of used memory is limited by the
amount of the data actually been sent by the server.
@serhiy-storchaka serhiy-storchaka added type-security A security issue needs backport to 3.8 needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes stdlib Python modules in the Lib dir release-blocker needs backport to 3.11 only security fixes needs backport to 3.12 bug and security fixes needs backport to 3.13 bugs and security fixes labels May 24, 2024
@serhiy-storchaka serhiy-storchaka requested a review from a team as a code owner May 24, 2024 18:15
@bedevere-app bedevere-app bot mentioned this pull request May 24, 2024
Open
@gpshead gpshead marked this pull request as draft May 24, 2024 19:59
@gpshead
Copy link
Member

gpshead commented May 24, 2024

I've marked this Draft for now as discussion on this on the security response team list is not complete. (we'll summarize that in a public issue once it has settled)

keepworking
keepworking reviewed May 30, 2024
View reviewed changes
Lib/imaplib.py Outdated
delta = min(cursize, size - cursize)
data += self.file.read(delta)
cursize += delta
return data
return self.file.read(size)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you've missed erasing this part.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

serhiy-storchaka
serhiy-storchaka commented May 30, 2024
View reviewed changes
Lib/imaplib.py Show resolved Hide resolved
Lib/imaplib.py Outdated
delta = min(cursize, size - cursize)
data += self.file.read(delta)
cursize += delta
return data
return self.file.read(size)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

Lib/imaplib.py Outdated Show resolved Hide resolved
@encukou
Copy link
Member

encukou commented Jun 7, 2024

Since this did not block a release, I'm switching it to deferred blocker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keepworking keepworking keepworking left review comments

@terryjreedy terryjreedy terryjreedy left review comments

Assignees
No one assigned
Labels
deferred-blocker needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 bug and security fixes needs backport to 3.13 bugs and security fixes stdlib Python modules in the Lib dir type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@serhiy-storchaka @gpshead @encukou @keepworking @terryjreedy @hugovk
X Tutup