packages/python-configobj
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!25 [sync] PR-24: fix CVE-2023-26112

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @swf504 
Signed-off-by: @swf504
This commit is contained in:
openeuler-ci-bot 2024-09-19 06:32:32 +00:00 committed by Gitee
commit de70261ab0
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0002-Address-CVE-2023-26112-ReDoS.patch Normal file
View File

@ -0,0 +1,51 @@
From a82ea8fb0338f2bd46cf627c4b763094448e6bd7 Mon Sep 17 00:00:00 2001
From: cdcadman <mythirty@gmail.com>
Date: Wed, 17 May 2023 03:57:08 -0700
Subject: [PATCH] Address CVE-2023-26112 ReDoS
---
src/configobj/validate.py | 2 +-
src/tests/test_validate_errors.py | 10 +++++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/validate.py b/validate.py
index 9267a3f..98d879f 100644
--- a/validate.py
+++ b/validate.py
@@ -541,7 +541,7 @@ class Validator(object):
"""
# this regex does the initial parsing of the checks
- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
+ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
# this regex takes apart keyword arguments
_key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL)
diff --git a/tests/test_validate_errors.py b/tests/test_validate_errors.py
index 399daa8..f7d6c27 100644
--- a/tests/test_validate_errors.py
+++ b/tests/test_validate_errors.py
@@ -3,7 +3,7 @@ import os
import pytest
from configobj import ConfigObj, get_extra_values, ParseError, NestingError
-from validate import Validator
+from validate import Validator, VdtUnknownCheckError
@pytest.fixture()
def thisdir():
@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
ini.write('[[haha]]')
with pytest.raises(NestingError):
conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
+
+
+def test_re_dos(val):
+ value = "aaa"
+ i = 165100
+ attack = '\x00'*i + ')' + '('*i
+ with pytest.raises(VdtUnknownCheckError):
+ val.check(attack, value)
--
2.40.1

8
python-configobj.spec
View File

@ -2,13 +2,14 @@
Name: python-configobj
Version: 5.0.6
Release: 19
Release: 20
Summary: ConfigObj is a simple but powerful config file reader and writer
License: BSD
URL: http://configobj.readthedocs.org/
Source0: https://github.com/DiffSK/configobj/archive/v%{version}.tar.gz
Patch0: 0001-changed-1-link-in-rest-docs.patch
Patch0: 0001-changed-1-link-in-rest-docs.patch
Patch1: 0002-Address-CVE-2023-26112-ReDoS.patch
BuildRequires:python3-devel python3-pytest python3-setuptools python3-six
BuildArch: noarch
@ -58,6 +59,9 @@ export PYTHONWARNINGS=always
%{python3_sitelib}/*
%changelog
* Sat Sep 14 2024 Wangmian <wangmian19@h-partners.com> - 5.0.6-20
- fix CVE-2023-26112 from fedora
* Mon May 8 2023 Jiangtian Feng <fengjiangtian@huawei.com> - 5.0.6-19
- update the introduction web link