Accepting request 1056169 from devel:languages:python

- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar gh#PythonCharmers/python-future#610 bsc#1206673 OBS-URL: https://build.opensuse.org/request/show/1056169 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-future?expand=0&rev=14
2023-01-06 16:04:23 +00:00 · 2023-01-06 16:04:23 +00:00 · d01d5fd3b9
commit d01d5fd3b9
parent 9be19adf3a 81ffe1c021
3 changed files with 87 additions and 5 deletions
--- a/CVE-2022-40899.patch
+++ b/CVE-2022-40899.patch
@ -0,0 +1,70 @@
+Index: future-0.16.0/src/future/backports/http/cookiejar.py
+===================================================================
+--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
+++ future-0.16.0/src/future/backports/http/cookiejar.py
+@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
+        (?::(\d\d))?    # optional seconds
+     )?                 # optional clock
+        \s*
+-    ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+    (?:
+       ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
+        \s*
+-    (?:\(\w+\))?       # ASCII representation of timezone in parens.
+-       \s*$""", re.X | re.ASCII)
+    )?
+    (?:
+       \(\w+\)         # ASCII representation of timezone in parens.
+       \s*
+    )?$""", re.X | re.ASCII)
+ def http2time(text):
+     """Returns time in seconds since epoch of time represented by a string.
+ 
+@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
+       (?::?(\d\d(?:\.\d*)?))?  # optional seconds (and fractional)
+    )?                    # optional clock
+       \s*
+-   ([-+]?\d\d?:?(:?\d\d)?
+-    |Z|z)?               # timezone  (Z is "zero meridian", i.e. GMT)
+-      \s*$""", re.X | re. ASCII)
+   (?:
+      ([-+]?\d\d?:?(:?\d\d)?
+       |Z|z)             # timezone  (Z is "zero meridian", i.e. GMT)
+      \s*
+   )?$""", re.X | re. ASCII)
+ def iso2time(text):
+     """
+     As for http2time, but parses the ISO 8601 formats:
+Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
+===================================================================
+--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py
+@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
+                               "http2time(%s) is not None\n"
+                               "http2time(test) %s" % (test, http2time(test)))
+ 
+    def test_http2time_redos_regression_actually_completes(self):
+        # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
+        # catastrophic backtracking (REDoS). If we regress to cubic complexity,
+        # this test will take a very long time to succeed. If fixed, it should
+        # complete within a fraction of a second.
+        http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
+        http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
+
+     def test_iso2time(self):
+         def parse_date(text):
+             return time.gmtime(iso2time(text))[:6]
+@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
+                               "iso2time(%s) is not None\n"
+                               "iso2time(test) %s" % (test, iso2time(test)))
+ 
+    def test_iso2time_performance_regression(self):
+        # If ISO_DATE_RE regresses to quadratic complexity, this test will take
+        # a very long time to succeed. If fixed, it should complete within a
+        # fraction of a second.
+        iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
+        iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
+
+ 
+ class HeaderTests(unittest.TestCase):
+ 
--- a/python-future.changes
+++ b/python-future.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jan  5 12:03:41 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
+  gh#PythonCharmers/python-future#610
+  bsc#1206673
+
 -------------------------------------------------------------------
 Fri Mar 12 13:35:13 UTC 2021 - Matej Cepl <mcepl@suse.com>

--- a/python-future.spec
+++ b/python-future.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-future
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,7 +16,6 @@
 #


-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-future
 Version:        0.18.2
 Release:        0
@ -33,6 +32,8 @@ Patch1:         future-correct-mimetype.patch
 # PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 mcepl@suse.com
 # Overcome incompatibilites with python 3.9
 Patch2:         python39-build.patch
+# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673
+Patch3:         CVE-2022-40899.patch
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
@ -43,7 +44,7 @@ BuildRequires:  %{python_module dbm}
 BuildRequires:  python3-dbm
 %endif
 Requires(post): update-alternatives
-Requires(preun):update-alternatives
+Requires(postun):update-alternatives
 BuildArch:      noarch
 %python_subpackages

@ -71,7 +72,7 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
 %post
 %{python_install_alternative futurize pasteurize}

-%preun
+%postun
 %python_uninstall_alternative futurize

 %check
@ -86,6 +87,10 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
 %license LICENSE.txt
 %python_alternative %{_bindir}/futurize
 %python_alternative %{_bindir}/pasteurize
-%{python_sitelib}/*
+%{python_sitelib}/future-%{version}*-info
+%{python_sitelib}/future
+%{python_sitelib}/libfuturize
+%{python_sitelib}/libpasteurize
+%{python_sitelib}/past

 %changelog