git: 9567ab3ffe66 - main - devel/py-configobj: Fix security issue CVE-2023-26112

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Nicola Vitale <nivit_at_FreeBSD.org>
Date: Thu, 29 Aug 2024 08:51:51 UTC
The branch main has been updated by nivit:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9567ab3ffe66f9d61898ab4ce8f5961ea2798d45

commit 9567ab3ffe66f9d61898ab4ce8f5961ea2798d45
Author:     Nicola Vitale <nivit@FreeBSD.org>
AuthorDate: 2024-08-29 08:37:13 +0000
Commit:     Nicola Vitale <nivit@FreeBSD.org>
CommitDate: 2024-08-29 08:51:21 +0000

    devel/py-configobj: Fix security issue CVE-2023-26112
    
    - Add a patch to fix Regular Expression Denial of Service.
      It is an unofficial patch [1], but it has already been applied by
      other projects such as Debian or Fedora [2].
    
    - Bump PORTREVISION
    
    Reference:      https://github.com/DiffSK/configobj/pull/236 [1]
    Reference:      https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2]
    Reference:      https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2]
    
    Security:       CVE-2023-26112
---
 devel/py-configobj/Makefile                              |  2 +-
 devel/py-configobj/files/patch-src_configobj_validate.py | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/devel/py-configobj/Makefile b/devel/py-configobj/Makefile
index 148e09e20ef2..699f677cbc10 100644
--- a/devel/py-configobj/Makefile
+++ b/devel/py-configobj/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	configobj
 PORTVERSION=	5.0.8
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/devel/py-configobj/files/patch-src_configobj_validate.py b/devel/py-configobj/files/patch-src_configobj_validate.py
new file mode 100644
index 000000000000..72eb31a15105
--- /dev/null
+++ b/devel/py-configobj/files/patch-src_configobj_validate.py
@@ -0,0 +1,16 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+--- src/configobj/validate.py.orig	2023-01-18 22:28:31 UTC
++++ src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)