pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reapply the patch

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=276
This commit is contained in:
Matej Cepl 2020-02-06 22:59:43 +00:00 committed by Git OBS Bridge
parent c010d2e825
commit f814036fff
1 changed files with 12 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
CVE-2020-8492-urllib-ReDoS.patch
View File

@ -10,16 +10,21 @@ catastrophic backtracking.
Vulnerability reported by Matt Schwager. Vulnerability reported by Matt Schwager.
--- ---
Lib/urllib/request.py | 2 +- Lib/urllib2.py | 2 +-
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-) 2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py --- /dev/null
index a6d350a97a452..72de8b2206885 100644 +++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
--- a/Lib/urllib/request.py @@ -0,0 +1,4 @@
+++ b/Lib/urllib/request.py +CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler: +:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
# allow for double- and single-quoted realm values # allow for double- and single-quoted realm values
# (single quotes are a violation of the RFC, but appear in the wild) # (single quotes are a violation of the RFC, but appear in the wild)
@ -28,33 +33,3 @@ index a6d350a97a452..72de8b2206885 100644
'realm=(["\']?)([^"\']*)\\2', re.I) 'realm=(["\']?)([^"\']*)\\2', re.I)
# XXX could pre-emptively send auth info already accepted (RFC 2617, # XXX could pre-emptively send auth info already accepted (RFC 2617,
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
new file mode 100644
index 0000000000000..2c2622f4e8d54
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
@@ -0,0 +1,4 @@
+The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Thu, 30 Jan 2020 23:12:18 +0100
Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry
---
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
index 2c2622f4e8d54..92f186dcb1e49 100644
--- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
@@ -1,4 +1,4 @@
-The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
:mod:`urllib.request` module uses an inefficient regular expression which can
be exploited by an attacker to cause a denial of service. Fix the regex to
prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.