diff --git a/CVE-2023-26112.patch b/CVE-2023-26112.patch index 209cce7..fa21013 100644 --- a/CVE-2023-26112.patch +++ b/CVE-2023-26112.patch @@ -8,7 +8,7 @@ Subject: [PATCH] Address CVE-2023-26112 ReDoS src/tests/test_validate_errors.py | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) -diff --git a/validate.py b/validate.py +diff --git a/src/configobj/validate.py b/src/configobj/validate.py index 9267a3f..98d879f 100644 --- a/src/configobj/validate.py +++ b/src/configobj/validate.py @@ -21,4 +21,28 @@ index 9267a3f..98d879f 100644 # this regex takes apart keyword arguments _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) - +diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py +index 399daa8..f7d6c27 100644 +--- a/src/tests/test_validate_errors.py ++++ b/src/tests/test_validate_errors.py +@@ -3,7 +3,7 @@ + import pytest + + from configobj import ConfigObj, get_extra_values, ParseError, NestingError +-from configobj.validate import Validator ++from configobj.validate import Validator, VdtUnknownCheckError + + @pytest.fixture() + def thisdir(): +@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath): + ini.write('[[haha]]') + with pytest.raises(NestingError): + conf = ConfigObj(str(ini), configspec=specpath, file_error=True) ++ ++ ++def test_re_dos(val): ++ value = "aaa" ++ i = 165100 ++ attack = '\x00'*i + ')' + '('*i ++ with pytest.raises(VdtUnknownCheckError): ++ val.check(attack, value) diff --git a/python-configobj.changes b/python-configobj.changes index ec3e307..fd426e5 100644 --- a/python-configobj.changes +++ b/python-configobj.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 11 12:08:59 UTC 2024 - Matej Cepl + +- Refresh CVE-2023-26112.patch according to the last state of + gh#DiffSK/configobj!236. + ------------------------------------------------------------------- Wed Jan 3 16:47:32 UTC 2024 - Ben Greiner