Bugzilla – Bug 856835
VUL-1: CVE-2013-1753: python: gzip decompression bomb
Last modified: 2020-06-30 19:12:34 UTC
CVE-2013-1753 via rh bugzilla It was reported [1] that the XMLRPC client library in Python is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and send with Accept-Encoding: x-gzip. If an XMLRPC program written in python were to contact a malicious server which responded with a specially-crafted HTTP request, it could possibly result in a denial of service of the client (memory exhaustion). A proposed patch [2] is available, but nothing has been committed or released as there seems to still be some discussion on other enhancements to the patch. References: [1] http://bugs.python.org/issue16043 [2] http://bugs.python.org/file28796/xmlrpc_gzip_27.patch http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1753 https://bugzilla.redhat.com/show_bug.cgi?id=1046170
bugbot adjusting priority
the discussion in bug 856836 applies to this one as well: https://bugzilla.novell.com/show_bug.cgi?id=856836#c3
SLE 11 (python 2.6 and older) is not affected
This is an autogenerated message for OBS integration: This bug (856835) was mentioned in https://build.opensuse.org/request/show/222059 Factory / python
This is an autogenerated message for OBS integration: This bug (856835) was mentioned in https://build.opensuse.org/request/show/222235 Factory / python
This is an autogenerated message for OBS integration: This bug (856835) was mentioned in https://build.opensuse.org/request/show/225093 13.1 / python
lets consider it resolved (pending opensuse 13.1 release)
openSUSE-SU-2014:0380-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 637176,831442,856835,856836,857470,863741 CVE References: CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912 Sources used: openSUSE 13.1 (src): python-2.7.6-8.6.1, python-base-2.7.6-8.6.1, python-doc-2.7.6-8.6.1
This is an autogenerated message for OBS integration: This bug (856835) was mentioned in https://build.opensuse.org/request/show/227818 13.1 / python3
openSUSE-SU-2014:0498-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 856835,856836,863741,869222 CVE References: CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2013-7338,CVE-2014-1912 Sources used: openSUSE 13.1 (src): python3-3.3.5-5.4.1, python3-base-3.3.5-5.4.1, python3-doc-3.3.5-5.4.1
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available. Category: security (important) Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436 CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Basesystem 15 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.