diff --git a/0001-Address-CVE-2023-26112-ReDoS.patch b/0001-Address-CVE-2023-26112-ReDoS.patch new file mode 100644 index 0000000000000000000000000000000000000000..6498e0f300884ee522f23b3c3ea7a57762169348 --- /dev/null +++ b/0001-Address-CVE-2023-26112-ReDoS.patch @@ -0,0 +1,53 @@ +From a82ea8fb0338f2bd46cf627c4b763094448e6bd7 Mon Sep 17 00:00:00 2001 +From: cdcadman +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: [PATCH] Address CVE-2023-26112 ReDoS + +Reference: https://src.fedoraproject.org/rpms/python-configobj/blob/rawhide/f/0001-Address-CVE-2023-26112-ReDoS.patch + +--- + src/configobj/validate.py | 2 +- + src/tests/test_validate_errors.py | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/validate.py b/validate.py +index 9267a3f..98d879f 100644 +--- a/validate.py ++++ b/validate.py +@@ -541,7 +541,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) +diff --git a/tests/test_validate_errors.py b/tests/test_validate_errors.py +index 399daa8..f7d6c27 100644 +--- a/tests/test_validate_errors.py ++++ b/tests/test_validate_errors.py +@@ -3,7 +3,7 @@ import os + import pytest + + from configobj import ConfigObj, get_extra_values, ParseError, NestingError +-from validate import Validator ++from validate import Validator, VdtUnknownCheckError + + @pytest.fixture() + def thisdir(): +@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath): + ini.write('[[haha]]') + with pytest.raises(NestingError): + conf = ConfigObj(str(ini), configspec=specpath, file_error=True) ++ ++ ++def test_re_dos(val): ++ value = "aaa" ++ i = 165100 ++ attack = '\x00'*i + ')' + '('*i ++ with pytest.raises(VdtUnknownCheckError): ++ val.check(attack, value) +-- +2.40.1 + diff --git a/python-configobj.spec b/python-configobj.spec index 6bd7001ff87fb9e822c32f0936de03a368e1822d..4ba65cbf38640376a33aa0b86bc0f67091fb5222 100644 --- a/python-configobj.spec +++ b/python-configobj.spec @@ -3,12 +3,14 @@ Name: python-configobj Version: 5.0.6 -Release: 17 +Release: 18 Summary: ConfigObj is a simple but powerful config file reader and writer License: BSD URL: http://configobj.readthedocs.org/ Source0: https://github.com/DiffSK/configobj/archive/v%{version}.tar.gz +Patch0: 0001-Address-CVE-2023-26112-ReDoS.patch + BuildRequires:python2-devel python2-pytest python2-setuptools python2-six BuildRequires:python3-devel python3-pytest python3-setuptools python3-six BuildArch: noarch @@ -73,6 +75,9 @@ export PYTHONWARNINGS=always %{python3_sitelib}/* %changelog +* Sat Sep 14 2024 Wangmian - 5.0.6-18 +- fix CVE-2023-26112 + * Fri Jul 30 2021 chenyanpanHW - 5.0.6-17 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git