CVE-2018-1061

NameCVE-2018-1061
Descriptionpython before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1519-1, DLA-1520-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)jessie2.7.9-2+deb8u1vulnerable
jessie (security)2.7.9-2+deb8u2fixed
stretch2.7.13-2+deb9u2vulnerable
buster, sid2.7.15-4fixed
python3.4 (PTS)jessie3.4.2-1vulnerable
jessie (security)3.4.2-1+deb8u1fixed
python3.5 (PTS)stretch3.5.3-1vulnerable
sid3.5.6-1fixed
python3.6 (PTS)buster3.6.6-1fixed
sid3.6.6-4fixed
python3.7 (PTS)buster3.7.0-1fixed
sid3.7.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.6source(unstable)(unfixed)low
python2.7source(unstable)2.7.14-7low
python2.7sourcejessie2.7.9-2+deb8u2mediumDLA-1519-1
python3.2source(unstable)(unfixed)low
python3.4source(unstable)(unfixed)low
python3.4sourcejessie3.4.2-1+deb8u1mediumDLA-1520-1
python3.5source(unstable)3.5.6-1low
python3.6source(unstable)3.6.5~rc1-1low
python3.7source(unstable)3.7.0~b3-1low

Notes

[stretch] - python3.5 <no-dsa> (Minor issue)
[wheezy] - python3.2 <no-dsa> (Minor issue)
[stretch] - python2.7 <no-dsa> (Minor issue)
[wheezy] - python2.7 <no-dsa> (Minor issue)
[wheezy] - python2.6 <no-dsa> (Minor issue)
https://bugs.python.org/issue32981
https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master)
https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7)
https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6)
https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5)
https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4)
https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7)

Search for package or bug name: Reporting problems