- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar

gh#PythonCharmers/python-future#610
  bsc#1206673

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-future?expand=0&rev=33

CVE-2022-40899.patch

@@ -0,0 +1,70 @@
+Index: future-0.16.0/src/future/backports/http/cookiejar.py
+===================================================================
+--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
++++ future-0.16.0/src/future/backports/http/cookiejar.py
+@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
+        (?::(\d\d))?    # optional seconds
+     )?                 # optional clock
+        \s*
+-    ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
++    (?:
++       ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
+        \s*
+-    (?:\(\w+\))?       # ASCII representation of timezone in parens.
+-       \s*$""", re.X | re.ASCII)
++    )?
++    (?:
++       \(\w+\)         # ASCII representation of timezone in parens.
++       \s*
++    )?$""", re.X | re.ASCII)
+ def http2time(text):
+     """Returns time in seconds since epoch of time represented by a string.
+ 
+@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
+       (?::?(\d\d(?:\.\d*)?))?  # optional seconds (and fractional)
+    )?                    # optional clock
+       \s*
+-   ([-+]?\d\d?:?(:?\d\d)?
+-    |Z|z)?               # timezone  (Z is "zero meridian", i.e. GMT)
+-      \s*$""", re.X | re. ASCII)
++   (?:
++      ([-+]?\d\d?:?(:?\d\d)?
++       |Z|z)             # timezone  (Z is "zero meridian", i.e. GMT)
++      \s*
++   )?$""", re.X | re. ASCII)
+ def iso2time(text):
+     """
+     As for http2time, but parses the ISO 8601 formats:
+Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
+===================================================================
+--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
++++ future-0.16.0/tests/test_future/test_http_cookiejar.py
+@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
+                               "http2time(%s) is not None\n"
+                               "http2time(test) %s" % (test, http2time(test)))
+ 
++    def test_http2time_redos_regression_actually_completes(self):
++        # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
++        # catastrophic backtracking (REDoS). If we regress to cubic complexity,
++        # this test will take a very long time to succeed. If fixed, it should
++        # complete within a fraction of a second.
++        http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
++        http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
++
+     def test_iso2time(self):
+         def parse_date(text):
+             return time.gmtime(iso2time(text))[:6]
+@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
+                               "iso2time(%s) is not None\n"
+                               "iso2time(test) %s" % (test, iso2time(test)))
+ 
++    def test_iso2time_performance_regression(self):
++        # If ISO_DATE_RE regresses to quadratic complexity, this test will take
++        # a very long time to succeed. If fixed, it should complete within a
++        # fraction of a second.
++        iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
++        iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
++
+ 
+ class HeaderTests(unittest.TestCase):
+ 

python-future.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jan  5 12:03:41 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
+  gh#PythonCharmers/python-future#610
+  bsc#1206673
+
 -------------------------------------------------------------------
 Fri Mar 12 13:35:13 UTC 2021 - Matej Cepl <mcepl@suse.com>
 

python-future.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-future
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,7 +16,6 @@
 #
 
 
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-future
 Version:        0.18.2
 Release:        0
@@ -33,6 +32,8 @@ Patch1:         future-correct-mimetype.patch
 # PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 mcepl@suse.com
 # Overcome incompatibilites with python 3.9
 Patch2:         python39-build.patch
+# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673
+Patch3:         CVE-2022-40899.patch
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
@@ -43,7 +44,7 @@ BuildRequires:  %{python_module dbm}
 BuildRequires:  python3-dbm
 %endif
 Requires(post): update-alternatives
-Requires(preun):update-alternatives
+Requires(postun):update-alternatives
 BuildArch:      noarch
 %python_subpackages
 
@@ -71,7 +72,7 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
 %post
 %{python_install_alternative futurize pasteurize}
 
-%preun
+%postun
 %python_uninstall_alternative futurize
 
 %check
@@ -86,6 +87,10 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
 %license LICENSE.txt
 %python_alternative %{_bindir}/futurize
 %python_alternative %{_bindir}/pasteurize
-%{python_sitelib}/*
+%{python_sitelib}/future-%{version}*-info
+%{python_sitelib}/future
+%{python_sitelib}/libfuturize
+%{python_sitelib}/libpasteurize
+%{python_sitelib}/past
 
 %changelog