Skip to content

[3.9] gh-119511: Fix a potential denial of service in imaplib (GH-119514) #130248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 19, 2025
Merged

[3.9] gh-119511: Fix a potential denial of service in imaplib (GH-119514) #130248

merged 2 commits into from
Feb 19, 2025

Conversation

hugovk
Copy link
Member

@hugovk hugovk commented Feb 18, 2025
edited
Loading

The IMAP4 client could consume an arbitrary amount of memory when trying to connect to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server.

(cherry picked from commit 735f25c)
@serhiy-storchaka @gpshead @hugovk
[3.9] pythongh-119511: Fix a potential denial of service in imaplib (p…
d0f693c 
…ythonGH-119514)

The IMAP4 client could consume an arbitrary amount of memory when trying
to connect to a malicious server, because it read a "literal" data with a
single read(size) call, and BufferedReader.read() allocates the bytes
object of the specified size before reading. Now the IMAP4 client reads data
by chunks, therefore the amount of used memory is limited by the
amount of the data actually been sent by the server.
(cherry picked from commit 735f25c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@hugovk hugovk requested a review from a team as a code owner February 18, 2025 08:39
@bedevere-app bedevere-app bot added the type-security A security issue label Feb 18, 2025
@bedevere-app bedevere-app bot mentioned this pull request Feb 18, 2025
Merged
@bedevere-app bedevere-app bot mentioned this pull request Feb 18, 2025
Closed
@ambv ambv merged commit f116a9c into python:3.9 Feb 19, 2025
14 checks passed
@hugovk hugovk deleted the backport-735f25c-3.9 branch February 19, 2025 13:38
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull request Apr 9, 2025
@hugovk @serhiy-storchaka
@gpshead @mgorny
[3.9] pythongh-119511: Fix a potential denial of service in imaplib (p…
3a6c6e0 
…ythonGH-119514) (python#130248)

The IMAP4 client could consume an arbitrary amount of memory when trying
to connect to a malicious server, because it read a "literal" data with a
single read(size) call, and BufferedReader.read() allocates the bytes
object of the specified size before reading. Now the IMAP4 client reads data
by chunks, therefore the amount of used memory is limited by the
amount of the data actually been sent by the server.
(cherry picked from commit 735f25c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-security A security issue
3 participants
@hugovk @ambv @serhiy-storchaka