From c0d86b66b9efecf14d5c902bd427c0aab07b02223aed234ff5f02a120bcd57ab Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 13 Sep 2023 07:38:28 +0000 Subject: [PATCH 1/2] Accepting request 1110811 from home:mschreiner:branches:devel:languages:python - Add avoid-ddos-on-carefully-crafted-spec-files.patch. - This patch fixes an endless loop that could be triggered by carefully crafting a malicious RPM spec file. - Issue was reported by David Anes, who also contributed the patch. - More details on the .spec file. - Update to v0.14.1. - For a full changelog here, please check the .changes file. OBS-URL: https://build.opensuse.org/request/show/1110811 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-rpm-spec?expand=0&rev=12 --- ...-DoS-on-carefully-crafted-spec-files.patch | 28 ++++++++++++++ python-python-rpm-spec.changes | 38 +++++++++++++++++++ python-python-rpm-spec.spec | 20 +++++++--- python-rpm-spec-0.10.tar.gz | 3 -- python-rpm-spec-0.14.1.tar.gz | 3 ++ 5 files changed, 83 insertions(+), 9 deletions(-) create mode 100644 avoid-DoS-on-carefully-crafted-spec-files.patch delete mode 100644 python-rpm-spec-0.10.tar.gz create mode 100644 python-rpm-spec-0.14.1.tar.gz diff --git a/avoid-DoS-on-carefully-crafted-spec-files.patch b/avoid-DoS-on-carefully-crafted-spec-files.patch new file mode 100644 index 0000000..257250e --- /dev/null +++ b/avoid-DoS-on-carefully-crafted-spec-files.patch @@ -0,0 +1,28 @@ +Index: python-rpm-spec-0.14.1/pyrpm/spec.py +=================================================================== +--- python-rpm-spec-0.14.1.orig/pyrpm/spec.py ++++ python-rpm-spec-0.14.1/pyrpm/spec.py +@@ -490,7 +490,7 @@ class Spec: + return spec + + +-def replace_macros(string: str, spec: Spec) -> str: ++def replace_macros(string: str, spec: Spec, max_attempts: int = 1000) -> str: + """Replace all macros in given string with corresponding values. + + For example, a string '%{name}-%{version}.tar.gz' will be transformed to 'foo-2.0.tar.gz'. +@@ -552,10 +552,12 @@ def replace_macros(string: str, spec: Sp + + return match.string[match.start() : match.end()] + +- # Recursively expand macros ++ # Recursively expand macros, respecting the limit imposed by 'max_attempts' + # Note: If macros are not defined in the spec file, this won't try to + # expand them. +- while True: ++ attempt = 0 ++ while attempt < max_attempts: ++ attempt += 1 + ret = re.sub(_macro_pattern, get_replacement_string, string) + if ret != string: + string = ret diff --git a/python-python-rpm-spec.changes b/python-python-rpm-spec.changes index 2248f66..7757491 100644 --- a/python-python-rpm-spec.changes +++ b/python-python-rpm-spec.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Wed Sep 13 06:08:44 UTC 2023 - Martin Schreiner + +- Add avoid-ddos-on-carefully-crafted-spec-files.patch. +- Update to v0.14.1: + - Changes from v0.14.1: + - Fix replace_macro's behavior with user-defined conditional + macros. + - The parsing of package names was wrong when tab characters where + used in %package. + - Implement parsing of spec files where sub-packages (%package) + have their own sources and patches defined. Previously, the + parser would just fail with an error message like + AttributeError: 'Package' object has no attribute + 'sources'. This is now fixed. + - Use SemVer for versioning. git tags are now prefixed with v, + e.g. v0.15.0 instead of 0.15.0. + - Changes from v0.14: + - Teach replace_macro how to deal with macros that are not wrapped + in curly braces. + - Add type annotations for tools like mypy, your IDE, and your + brain. + - Changes from v0.13: + - Fix parsing of BuildRequires:, Requires:, Conflicts:, + Obsoletes:, Provides: with comments at end of line.. + - Add CI for Python 3.11. + - Changes from v0.12: + - Fix %description and %changelog with multi-line strings. + - Changes from v0.11: + - Add type annotations for tools like mypy, your IDE, and your + brain. + - replace_macros() function now always expects a Spec instance as + second argument. Does not make much sense without. + - Add support for parsing %description and %changelog. + - Add support for ExcludeArch and ExclusiveArch. + - Add warnings_enabled knob to issue warnings of type UserWarning + during spec file parsing. + ------------------------------------------------------------------- Tue Nov 17 04:47:01 UTC 2020 - John Vandenberg diff --git a/python-python-rpm-spec.spec b/python-python-rpm-spec.spec index 709903d..b4348da 100644 --- a/python-python-rpm-spec.spec +++ b/python-python-rpm-spec.spec @@ -1,7 +1,7 @@ # # spec file for package python-python-rpm-spec # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,15 +17,21 @@ %define skip_python2 1 -%{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-python-rpm-spec -Version: 0.10 +Version: 0.14.1 Release: 0 Summary: Python module for parsing RPM spec files License: MIT Group: Development/Libraries/Python URL: https://github.com/bkircher/python-rpm-spec Source0: https://files.pythonhosted.org/packages/source/p/python-rpm-spec/python-rpm-spec-%{version}.tar.gz +# PATCH-FIX-OPENSUSE avoid-DoS-on-carefully-crafted-spec-files.patch bsc#1215274 +# this patch fixes an endless loop that could be triggered by carefully crafting +# a malicious RPM spec file that uses macro expansions, causing a denial-of-service +# PR to upstream code here: https://github.com/bkircher/python-rpm-spec/pull/62 +Patch0: avoid-DoS-on-carefully-crafted-spec-files.patch +BuildRequires: %{python_module flit} +BuildRequires: %{python_module pip} BuildRequires: %{python_module pytest} BuildRequires: %{python_module setuptools} BuildRequires: fdupes @@ -42,12 +48,13 @@ access to various bits of information that is contained in the spec file. %prep %setup -q -n python-rpm-spec-%{version} +%patch0 -p1 %build -%python_build +%pyproject_wheel %install -%python_install +%pyproject_install %python_expand %fdupes %{buildroot}%{$python_sitelib} %check @@ -56,6 +63,7 @@ access to various bits of information that is contained in the spec file. %files %{python_files} %doc CHANGELOG* README* %license LICENSE* -%{python_sitelib}/* +%{python_sitelib}/python_rpm_spec-%{version}*-info +%{python_sitelib}/pyrpm %changelog diff --git a/python-rpm-spec-0.10.tar.gz b/python-rpm-spec-0.10.tar.gz deleted file mode 100644 index 98ee0f7..0000000 --- a/python-rpm-spec-0.10.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:19ce7d5cc305c883bbd36a1d2d8afc8a4b02f9dc5ef1c9a5bfd753c1cfdc16f1 -size 36393 diff --git a/python-rpm-spec-0.14.1.tar.gz b/python-rpm-spec-0.14.1.tar.gz new file mode 100644 index 0000000..404fc06 --- /dev/null +++ b/python-rpm-spec-0.14.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0d4224d21ae59b60b19676cb9db027d1af132868cf8d0b4650960ff9468ebb4a +size 59082 From 62bffaadfe7f7f4b9c78e082d8d823d20ba3faaa82a2c65635e2a7cf31ebf063 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mark=C3=A9ta=20Machov=C3=A1?= Date: Thu, 14 Sep 2023 07:17:59 +0000 Subject: [PATCH 2/2] Accepting request 1110927 from home:mschreiner:branches:devel:languages:python - Replace the contents of avoid-DoS-on-carefully-crafted-spec-files.patch with a backwards-compatible patch, written by David Anes. OBS-URL: https://build.opensuse.org/request/show/1110927 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-rpm-spec?expand=0&rev=13 --- ...-DoS-on-carefully-crafted-spec-files.patch | 24 ++++++++++--------- python-python-rpm-spec.changes | 8 ++++++- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/avoid-DoS-on-carefully-crafted-spec-files.patch b/avoid-DoS-on-carefully-crafted-spec-files.patch index 257250e..7e6e1d7 100644 --- a/avoid-DoS-on-carefully-crafted-spec-files.patch +++ b/avoid-DoS-on-carefully-crafted-spec-files.patch @@ -1,8 +1,8 @@ -Index: python-rpm-spec-0.14.1/pyrpm/spec.py -=================================================================== ---- python-rpm-spec-0.14.1.orig/pyrpm/spec.py -+++ python-rpm-spec-0.14.1/pyrpm/spec.py -@@ -490,7 +490,7 @@ class Spec: +diff --git a/pyrpm/spec.py b/pyrpm/spec.py +index 42515bf..1a290ba 100644 +--- a/pyrpm/spec.py ++++ b/pyrpm/spec.py +@@ -490,7 +490,7 @@ def from_string(cls, string: str) -> "Spec": return spec @@ -11,18 +11,20 @@ Index: python-rpm-spec-0.14.1/pyrpm/spec.py """Replace all macros in given string with corresponding values. For example, a string '%{name}-%{version}.tar.gz' will be transformed to 'foo-2.0.tar.gz'. -@@ -552,10 +552,12 @@ def replace_macros(string: str, spec: Sp - - return match.string[match.start() : match.end()] - -- # Recursively expand macros -+ # Recursively expand macros, respecting the limit imposed by 'max_attempts' +@@ -555,9 +555,13 @@ def get_replacement_string(match: re.Match) -> str: + # Recursively expand macros # Note: If macros are not defined in the spec file, this won't try to # expand them. - while True: + attempt = 0 ++ ret = "" + while attempt < max_attempts: + attempt += 1 ret = re.sub(_macro_pattern, get_replacement_string, string) if ret != string: string = ret + continue +- return ret ++ break ++ return ret +\ No newline at end of file diff --git a/python-python-rpm-spec.changes b/python-python-rpm-spec.changes index 7757491..60c96c5 100644 --- a/python-python-rpm-spec.changes +++ b/python-python-rpm-spec.changes @@ -1,7 +1,13 @@ +------------------------------------------------------------------- +Wed Sep 13 15:17:43 UTC 2023 - Martin Schreiner + +- Replace the contents of avoid-DoS-on-carefully-crafted-spec-files.patch + with a backwards-compatible patch, written by David Anes. + ------------------------------------------------------------------- Wed Sep 13 06:08:44 UTC 2023 - Martin Schreiner -- Add avoid-ddos-on-carefully-crafted-spec-files.patch. +- Add avoid-DoS-on-carefully-crafted-spec-files.patch. - Update to v0.14.1: - Changes from v0.14.1: - Fix replace_macro's behavior with user-defined conditional