Bug 1088004 – VUL-1: CVE-2018-1061: python,python3: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib

Bug 1088004 - (CVE-2018-1061) VUL-1: CVE-2018-1061: python,python3: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib

(CVE-2018-1061)
Summary:	VUL-1: CVE-2018-1061: python,python3: DOS via regular expression backtracking...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/203075/
Whiteboard:	CVSSv3:SUSE:CVE-2018-1061:5.5:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-04-04 05:56 UTC by Marcus Meissner
Modified:	2022-06-10 08:40 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-04-04 05:56:29 UTC

Catastrophic backtracking vulnerability was found in Python. Exploitation of a regular expression in difflib.IS_LINE_JUNK method in servers that use difflib can lead to denial of service.

Upstream issue:

https://bugs.python.org/issue32981

Comment 1 Marcus Meissner 2018-04-04 06:01:40 UTC

https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac

has patches and testcases for both poplib and difflib

Comment 7 Liu Shukui 2018-08-16 08:39:22 UTC

(In reply to Marcus Meissner from comment #1)
> https://github.com/python/cpython/commit/
> 0e6c8ee2358a2e23117501826c008842acb835ac
> 
> has patches and testcases for both poplib and difflib

Testcase cannot run with python2.6 on sle11sp4.

sles11sp4-x64:/test/skliu/python # python2  test_difflib.py  
  File "test_difflib.py", line 39
    self.assertEqual(sm.bjunk, {' '})
                                   ^
SyntaxError: invalid syntax

Comment 8 Matej Cepl 2018-08-16 12:00:53 UTC

(In reply to Liu Shukui from comment #7)
> (In reply to Marcus Meissner from comment #1)
> > https://github.com/python/cpython/commit/
> > 0e6c8ee2358a2e23117501826c008842acb835ac
> > 
> > has patches and testcases for both poplib and difflib
> 
> Testcase cannot run with python2.6 on sle11sp4.
> 
> sles11sp4-x64:/test/skliu/python # python2  test_difflib.py  
>   File "test_difflib.py", line 39
>     self.assertEqual(sm.bjunk, {' '})
>                                    ^
> SyntaxError: invalid syntax

I don't understand. https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac doesn't contain string bjunk 

Neither it is in any patch applied to 2.6 for SLE11.

Where does your test_difflib.py comes from?

Comment 9 Liu Shukui 2018-08-16 12:52:12 UTC

(In reply to Matej Cepl from comment #8)
> (In reply to Liu Shukui from comment #7)
> > (In reply to Marcus Meissner from comment #1)
> > > https://github.com/python/cpython/commit/
> > > 0e6c8ee2358a2e23117501826c008842acb835ac
> > > 
> > > has patches and testcases for both poplib and difflib
> > 
> > Testcase cannot run with python2.6 on sle11sp4.
> > 
> > sles11sp4-x64:/test/skliu/python # python2  test_difflib.py  
> >   File "test_difflib.py", line 39
> >     self.assertEqual(sm.bjunk, {' '})
> >                                    ^
> > SyntaxError: invalid syntax
> 
> I don't understand.
> https://github.com/python/cpython/commit/
> 0e6c8ee2358a2e23117501826c008842acb835ac doesn't contain string bjunk 
> 
> Neither it is in any patch applied to 2.6 for SLE11.
> 
> Where does your test_difflib.py comes from?

I clicked the "View" button in the line containing "Lib/test/test_difflib.py",
then downloaded the raw file.

It's here:
https://github.com/python/cpython/blob/0e6c8ee2358a2e23117501826c008842acb835ac/Lib/test/test_difflib.py

Comment 10 Matej Cepl 2018-08-16 13:30:39 UTC

(In reply to Liu Shukui from comment #9)
> https://github.com/python/cpython/blob/
> 0e6c8ee2358a2e23117501826c008842acb835ac/Lib/test/test_difflib.py

Well, except the original patch is from the master branch, which lead to 3.6, so of course it is completely incompatible with 2.6.

You'd be better to use package file from %{_lib64}/python2.7/test/test_difflib.py it is patched with the appropriate patch.

Comment 11 Liu Shukui 2018-08-17 04:14:19 UTC

(In reply to Matej Cepl from comment #10)
> (In reply to Liu Shukui from comment #9)
> > https://github.com/python/cpython/blob/
> > 0e6c8ee2358a2e23117501826c008842acb835ac/Lib/test/test_difflib.py
> 
> Well, except the original patch is from the master branch, which lead to
> 3.6, so of course it is completely incompatible with 2.6.
> 
> You'd be better to use package file from
> %{_lib64}/python2.7/test/test_difflib.py it is patched with the appropriate
> patch.

 %{_lib64}/python2.7/test/test_difflib.py cannot run either.

see:
http://paste.suse.de/17696

I will skip this bug validation.

Comment 13 Swamp Workflow Management 2018-08-17 13:08:25 UTC

SUSE-SU-2018:2408-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1086001,1088004,1088009,985177
CVE References: CVE-2016-5636,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1

Comment 15 Swamp Workflow Management 2018-09-12 13:08:27 UTC

SUSE-SU-2018:2696-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1107030
CVE References: CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1

Comment 16 Swamp Workflow Management 2018-09-14 16:08:29 UTC

openSUSE-SU-2018:2712-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1107030
CVE References: CVE-2018-1060,CVE-2018-1061
Sources used:
openSUSE Leap 42.3 (src):    python3-3.4.6-12.6.1, python3-base-3.4.6-12.6.1, python3-doc-3.4.6-12.6.1

Comment 18 Swamp Workflow Management 2018-10-29 20:14:10 UTC

SUSE-SU-2018:3554-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.16.1
SUSE CaaS Platform ALL (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1

Comment 19 Swamp Workflow Management 2018-11-09 23:20:55 UTC

openSUSE-SU-2018:3703-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.9.1, python-base-2.7.13-27.9.1, python-doc-2.7.13-27.9.1

Comment 20 Swamp Workflow Management 2018-12-10 17:26:11 UTC

SUSE-SU-2018:3554-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1

Comment 27 Swamp Workflow Management 2020-01-16 14:13:30 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2020-01-21 20:16:00 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 29 Swamp Workflow Management 2020-01-24 20:12:56 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 38 Swamp Workflow Management 2020-09-21 19:15:35 UTC

SUSE-SU-2020:2699-1: An update that solves 7 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1088004,1088009,1130840,1141853,1149955,1153238,1162423,1173274,1174091,1174701
CVE References: CVE-2018-14647,CVE-2018-20852,CVE-2019-16056,CVE-2019-16935,CVE-2019-20907,CVE-2019-9947,CVE-2020-14422
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Enterprise Storage 5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
HPE Helion Openstack 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 43 OBSbugzilla Bot 2020-11-27 16:41:16 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 45 OBSbugzilla Bot 2020-12-01 18:21:10 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 47 OBSbugzilla Bot 2020-12-05 17:31:11 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 48 OBSbugzilla Bot 2020-12-05 19:11:15 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 51 OBSbugzilla Bot 2020-12-17 18:11:15 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 52 OBSbugzilla Bot 2021-10-06 14:41:22 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 53 OBSbugzilla Bot 2021-10-22 08:41:22 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 54 OBSbugzilla Bot 2022-02-06 22:30:27 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 55 OBSbugzilla Bot 2022-02-09 19:10:29 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 56 OBSbugzilla Bot 2022-06-10 08:40:27 UTC

This is an autogenerated message for OBS integration:
This bug (1088004) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python