From 81ffe1c021c8b0629c1e44a733cab3befcb11814b423f59a3fe7400f4cd56f26 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Thu, 5 Jan 2023 12:04:36 +0000 Subject: [PATCH] - Add CVE-2022-40899.patch to fix REDoS in http.cookiejar gh#PythonCharmers/python-future#610 bsc#1206673 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-future?expand=0&rev=33 --- CVE-2022-40899.patch | 70 +++++++++++++++++++++++++++++++++++++++++++ python-future.changes | 7 +++++ python-future.spec | 15 ++++++---- 3 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 CVE-2022-40899.patch diff --git a/CVE-2022-40899.patch b/CVE-2022-40899.patch new file mode 100644 index 0000000..1f114c8 --- /dev/null +++ b/CVE-2022-40899.patch @@ -0,0 +1,70 @@ +Index: future-0.16.0/src/future/backports/http/cookiejar.py +=================================================================== +--- future-0.16.0.orig/src/future/backports/http/cookiejar.py ++++ future-0.16.0/src/future/backports/http/cookiejar.py +@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile( + (?::(\d\d))? # optional seconds + )? # optional clock + \s* +- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone ++ (?: ++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone + \s* +- (?:\(\w+\))? # ASCII representation of timezone in parens. +- \s*$""", re.X | re.ASCII) ++ )? ++ (?: ++ \(\w+\) # ASCII representation of timezone in parens. ++ \s* ++ )?$""", re.X | re.ASCII) + def http2time(text): + """Returns time in seconds since epoch of time represented by a string. + +@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile( + (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) + )? # optional clock + \s* +- ([-+]?\d\d?:?(:?\d\d)? +- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) +- \s*$""", re.X | re. ASCII) ++ (?: ++ ([-+]?\d\d?:?(:?\d\d)? ++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) ++ \s* ++ )?$""", re.X | re. ASCII) + def iso2time(text): + """ + As for http2time, but parses the ISO 8601 formats: +Index: future-0.16.0/tests/test_future/test_http_cookiejar.py +=================================================================== +--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py ++++ future-0.16.0/tests/test_future/test_http_cookiejar.py +@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase): + "http2time(%s) is not None\n" + "http2time(test) %s" % (test, http2time(test))) + ++ def test_http2time_redos_regression_actually_completes(self): ++ # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused ++ # catastrophic backtracking (REDoS). If we regress to cubic complexity, ++ # this test will take a very long time to succeed. If fixed, it should ++ # complete within a fraction of a second. ++ http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5)) ++ http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5)) ++ + def test_iso2time(self): + def parse_date(text): + return time.gmtime(iso2time(text))[:6] +@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase): + "iso2time(%s) is not None\n" + "iso2time(test) %s" % (test, iso2time(test))) + ++ def test_iso2time_performance_regression(self): ++ # If ISO_DATE_RE regresses to quadratic complexity, this test will take ++ # a very long time to succeed. If fixed, it should complete within a ++ # fraction of a second. ++ iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6)) ++ iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6)) ++ + + class HeaderTests(unittest.TestCase): + diff --git a/python-future.changes b/python-future.changes index 30981dd..297226c 100644 --- a/python-future.changes +++ b/python-future.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia + +- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar + gh#PythonCharmers/python-future#610 + bsc#1206673 + ------------------------------------------------------------------- Fri Mar 12 13:35:13 UTC 2021 - Matej Cepl diff --git a/python-future.spec b/python-future.spec index bdc19ae..08043dc 100644 --- a/python-future.spec +++ b/python-future.spec @@ -1,7 +1,7 @@ # # spec file for package python-future # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,7 +16,6 @@ # -%{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-future Version: 0.18.2 Release: 0 @@ -33,6 +32,8 @@ Patch1: future-correct-mimetype.patch # PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 mcepl@suse.com # Overcome incompatibilites with python 3.9 Patch2: python39-build.patch +# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673 +Patch3: CVE-2022-40899.patch BuildRequires: %{python_module pytest} BuildRequires: %{python_module setuptools} BuildRequires: fdupes @@ -43,7 +44,7 @@ BuildRequires: %{python_module dbm} BuildRequires: python3-dbm %endif Requires(post): update-alternatives -Requires(preun):update-alternatives +Requires(postun):update-alternatives BuildArch: noarch %python_subpackages @@ -71,7 +72,7 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py %post %{python_install_alternative futurize pasteurize} -%preun +%postun %python_uninstall_alternative futurize %check @@ -86,6 +87,10 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py %license LICENSE.txt %python_alternative %{_bindir}/futurize %python_alternative %{_bindir}/pasteurize -%{python_sitelib}/* +%{python_sitelib}/future-%{version}*-info +%{python_sitelib}/future +%{python_sitelib}/libfuturize +%{python_sitelib}/libpasteurize +%{python_sitelib}/past %changelog