!27 fix CVE-2021-46823

From: @zhouwenpei Reviewed-by: @compile_success Signed-off-by: @compile_success
2022-07-26 11:40:15 +00:00 · 2022-07-26 11:40:15 +00:00 · a2d4605edf
commit a2d4605edf
parent b8ab598678 1a07ecdfc5
2 changed files with 32 additions and 2 deletions
--- a/backport-CVE-2021-46823.patch
+++ b/backport-CVE-2021-46823.patch
@ -0,0 +1,22 @@
+From faa011b41f7141121546045925d809d54e70f5fd Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 15 Oct 2021 15:21:37 +0100
+Subject: [PATCH] Fix ReDoS in regex.
+
+---
+ Lib/ldap/schema/tokenizer.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py
+index 69823f2b..623b86d5 100644
+--- a/Lib/ldap/schema/tokenizer.py
+++ b/Lib/ldap/schema/tokenizer.py
+@@ -13,7 +13,7 @@
+     r"|"              # or
+     r"([^'$()\s]+)"   # string of length >= 1 without '$() or whitespace
+     r"|"              # or
+-    r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
+    r"('(?:[^'\\]|\\.)*'(?!\w))"
+                       # any string or empty string surrounded by unescaped
+                       # single quotes except if right quote is succeeded by
+                       # alphanumeric char
--- a/python-ldap.spec
+++ b/python-ldap.spec
@ -1,7 +1,7 @@
 %define debug_package %{nil}
 Name:		python-ldap
 Version:	3.3.1
-Release:	2
+Release:	3
 Summary:	An object-oriented API to access LDAP directory servers
 License:	Python
 URL:		http://python-ldap.org/
@ -10,6 +10,8 @@ Source0:	https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{vers
 BuildRequires:	gcc openldap-devel
 BuildRequires:  python3-devel python3-setuptools

+Patch0:		backport-CVE-2021-46823.patch
+
 %description
 python-ldap provides an object-oriented API for working with LDAP within\
 Python programs.  It allows access to LDAP directory servers by wrapping the\
@ -35,7 +37,7 @@ OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks\
 %package_help

 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{version}
 find . -name '*.py' | xargs sed -i '1s|^#!/usr/bin/env python|#!%{__python3}|'
 sed -i 's,-Werror,-Wignore,g' tox.ini
 %build
@ -56,6 +58,12 @@ sed -i 's,-Werror,-Wignore,g' tox.ini
 %doc CHANGES README TODO Demo

 %changelog
+* Tue Jul 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 3.3.1-3
+- Type:CVE
+- Id:CVE-2021-46823
+- SUG:NA
+- DESC:fix CVE-2021-46823
+
 * Fri Mar 04 2022 zhaoshuang <zhaoshuang@uniontech.com> - 3.3.1-2
 - remove some unnecessary buildrequires