diff --git a/CVE-2020-8492-urllib-ReDoS.patch b/CVE-2020-8492-urllib-ReDoS.patch index 7ffbb12..927cba3 100644 --- a/CVE-2020-8492-urllib-ReDoS.patch +++ b/CVE-2020-8492-urllib-ReDoS.patch @@ -10,16 +10,21 @@ catastrophic backtracking. Vulnerability reported by Matt Schwager. --- - Lib/urllib/request.py | 2 +- - .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + Lib/urllib2.py | 2 +- + Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index a6d350a97a452..72de8b2206885 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler: +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) @@ -28,33 +33,3 @@ index a6d350a97a452..72de8b2206885 100644 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617, -diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -new file mode 100644 -index 0000000000000..2c2622f4e8d54 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -@@ -0,0 +1,4 @@ -+The :class:`~urllib.request.AbstractBasicAuthHandler` class of the -+:mod:`urllib.request` module uses an inefficient regular expression which can -+be exploited by an attacker to cause a denial of service. Fix the regex to -+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. - -From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001 -From: Victor Stinner -Date: Thu, 30 Jan 2020 23:12:18 +0100 -Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry - ---- - .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -index 2c2622f4e8d54..92f186dcb1e49 100644 ---- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -@@ -1,4 +1,4 @@ --The :class:`~urllib.request.AbstractBasicAuthHandler` class of the -+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the - :mod:`urllib.request` module uses an inefficient regular expression which can - be exploited by an attacker to cause a denial of service. Fix the regex to - prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.