!31 [sync] PR-28: fix CVE-2023-26112

From: @openeuler-sync-bot Reviewed-by: @swf504 Signed-off-by: @swf504
2024-09-19 06:30:56 +00:00 · 2024-09-19 06:30:56 +00:00 · 696f99b9ff
commit 696f99b9ff
parent e2f14a40dc dd19378d57
2 changed files with 59 additions and 1 deletions
--- a/0001-Address-CVE-2023-26112-ReDoS.patch
+++ b/0001-Address-CVE-2023-26112-ReDoS.patch
@ -0,0 +1,53 @@
+From a82ea8fb0338f2bd46cf627c4b763094448e6bd7 Mon Sep 17 00:00:00 2001
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: [PATCH] Address CVE-2023-26112 ReDoS
+
+Reference: https://src.fedoraproject.org/rpms/python-configobj/blob/rawhide/f/0001-Address-CVE-2023-26112-ReDoS.patch
+
+---
+ src/configobj/validate.py         |  2 +-
+ src/tests/test_validate_errors.py | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
+++ b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
+    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
+++ b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+ 
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
+from configobj.validate import Validator, VdtUnknownCheckError
+ 
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+     ini.write('[[haha]]')
+     with pytest.raises(NestingError):
+         conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
+
+
+def test_re_dos(val):
+    value = "aaa"
+    i = 165100
+    attack = '\x00'*i + ')' + '('*i
+    with pytest.raises(VdtUnknownCheckError):
+        val.check(attack, value)
+-- 
+2.40.1
+
--- a/python-configobj.spec
+++ b/python-configobj.spec
@ -2,12 +2,14 @@

 Name:    python-configobj
 Version: 5.0.8
-Release: 1
+Release: 2
 Summary: ConfigObj is a simple but powerful config file reader and writer
 License: BSD
 URL:     http://configobj.readthedocs.org/
 Source0: https://github.com/DiffSK/configobj/archive/v%{version}.tar.gz

+Patch0: 0001-Address-CVE-2023-26112-ReDoS.patch
+
 BuildRequires:python3-devel python3-pytest python3-setuptools python3-six 
 BuildArch:    noarch

@ -59,6 +61,9 @@ pytest -c setup.cfg --color=yes
 %{python3_sitelib}/*

 %changelog
+* Sat Sep 14 2024 Wangmian <wangmian19@h-partners.com> - 5.0.8-2
+- fix CVE-2023-26112
+
 * Wed Feb 7 2024 Weifeng Su <suweifeng1@huawei.com> - 5.0.8-1
 - upgrade to 5.0.8
  -fix a regression error in 5.0.7