rpm/python-configobj
SHA256
1
0
Fork 0
forked from pool/python-configobj
Code Pull Requests Activity

Accepting request 1200122 from devel:languages:python

Browse Source 
- Refresh CVE-2023-26112.patch according to the last state of
  gh#DiffSK/configobj!236.

OBS-URL: https://build.opensuse.org/request/show/1200122
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-configobj?expand=0&rev=25
This commit is contained in:
Ana Guerrero 2024-09-13 12:25:56 +00:00 committed by Git OBS Bridge
commit d76396d4e2
2 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2023-26112.patch
View File

@ -8,7 +8,7 @@ Subject: [PATCH] Address CVE-2023-26112 ReDoS
src/tests/test_validate_errors.py | 10 +++++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/validate.py b/validate.py
diff --git a/src/configobj/validate.py b/src/configobj/validate.py
index 9267a3f..98d879f 100644
--- a/src/configobj/validate.py
+++ b/src/configobj/validate.py
@ -21,4 +21,28 @@ index 9267a3f..98d879f 100644
# this regex takes apart keyword arguments
_key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL)
diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
index 399daa8..f7d6c27 100644
--- a/src/tests/test_validate_errors.py
+++ b/src/tests/test_validate_errors.py
@@ -3,7 +3,7 @@
import pytest
from configobj import ConfigObj, get_extra_values, ParseError, NestingError
-from configobj.validate import Validator
+from configobj.validate import Validator, VdtUnknownCheckError
@pytest.fixture()
def thisdir():
@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
ini.write('[[haha]]')
with pytest.raises(NestingError):
conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
+
+
+def test_re_dos(val):
+ value = "aaa"
+ i = 165100
+ attack = '\x00'*i + ')' + '('*i
+ with pytest.raises(VdtUnknownCheckError):
+ val.check(attack, value)

6
python-configobj.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Sep 11 12:08:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Refresh CVE-2023-26112.patch according to the last state of
gh#DiffSK/configobj!236.
-------------------------------------------------------------------
Wed Jan 3 16:47:32 UTC 2024 - Ben Greiner <code@bnavigator.de>