CVE-2018-1061

NameCVE-2018-1061
Descriptionpython before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)jessie2.7.9-2+deb8u1vulnerable
stretch2.7.13-2+deb9u2vulnerable
buster, sid2.7.15-1fixed
python3.4 (PTS)jessie3.4.2-1vulnerable
python3.5 (PTS)stretch3.5.3-1vulnerable
sid3.5.5-1vulnerable
python3.6 (PTS)buster, sid3.6.6-1fixed
python3.7 (PTS)buster, sid3.7.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.6source(unstable)(unfixed)low
python2.7source(unstable)2.7.14-7low
python3.2source(unstable)(unfixed)low
python3.4source(unstable)(unfixed)low
python3.5source(unstable)(unfixed)low
python3.6source(unstable)3.6.5~rc1-1low
python3.7source(unstable)3.7.0~b3-1low

Notes

[stretch] - python3.5 <no-dsa> (Minor issue)
[jessie] - python3.4 <no-dsa> (Minor issue)
[wheezy] - python3.2 <no-dsa> (Minor issue)
[stretch] - python2.7 <no-dsa> (Minor issue)
[jessie] - python2.7 <no-dsa> (Minor issue)
[wheezy] - python2.7 <no-dsa> (Minor issue)
[wheezy] - python2.6 <no-dsa> (Minor issue)
https://bugs.python.org/issue32981
https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master)
https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7)
https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6)
https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5)
https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4)
https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7)

Search for package or bug name: Reporting problems