From nobody Thu Aug 29 08:51:51 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WvZlX1mk1z5MZG5;
	Thu, 29 Aug 2024 08:51:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WvZlX075Tz49pP;
	Thu, 29 Aug 2024 08:51:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1724921512;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UQTln22L/EZ8EJ5OfjMQbfAfDGAhpE8ux8U5Fqjox98=;
	b=ZiLf0x+cwK2XNNI462gJFoZzv753Gq+2yJQ8qTDGxJHexnoDmxn/jpowhWNoBbQZ47dxkn
	KmmsS7STWdxAiQp9nuPAhDHg54S7f/7Sn1RUA28dPFqJPc60NNPbTa2PJJpP/urdRm2Axm
	rnmw1rqbrGOmGz2DCC2DM6zWw24Yfu0PfdBcki0w9Pl+PmFQ6Bv1tWQrut63x+j+f696Co
	UgWBQLbvCurFud++c98cerb3p9TYzrZfDwstGivYOGkXFQOyhwHyxh9rMjvRQ+Ob0p6bm+
	c1JqV+z2oDt4Ah2qBTeXVEjJf92WdFunF3AJxlXfoNxp6zXHQLalziiw4jHWWQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724921512; a=rsa-sha256; cv=none;
	b=ePmSpXUhFLEOfHGVoKMxcJ1AQxRRiu/Nq38z3/dTmhqdDUVjnSCMfecATbD/hCrfVVpcvX
	zR5PL/+ZU85/uHoozHr0z0aQJYCneIkBoNLa+zIZ2xFek0jF6PTkwxUotVoRSBZj0rjPcf
	6QYNL7shstGq4PaYNwInVtOxdNMclG2RmJLoiJ/7DKB1X917QjSn25sLwMNgFA4heofg4P
	9nr/fQT/OxchZiefaNqrJRb+QnnKX1sH6jnqe0zfJQOuRhMSuEu8t2egpPA9G3CWyAmb3u
	1Q89gdwMUNJudNvYJnQrvvFMPp0S/UWPaH80oE4LaKaB6JCfhjFOAzXmGuqxmA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1724921512;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UQTln22L/EZ8EJ5OfjMQbfAfDGAhpE8ux8U5Fqjox98=;
	b=rveub6lKjvbyMbRU9gDv+64o5nezWFc///N7f7QfS339i7P7c339RRHYpfYdVs3yxJcl92
	4v3v0ShxZlPBEFv/1LwmzgACggehBsCIV03O9vbJ7RguUrGZE4G+0ZTSV26jeNO+q0sHC+
	7J2HNqPbK0xmRb5HrQ6V0Tc/t5hUI45A3eX7UgnQ/oZdx1tkkxqBCBYPryVKwRh8PDAJ5P
	9I7E6pmqNcnh8AAck3XNeGO97bqeVhyBm7pg7sS1SzVPSNfMVQEqNoduEK62IKeadIdkE+
	MbqqNzv9xbXvMsul/jcEiU+n1lmcXuuzs8VQjltUto9dnSKrhkVF0v5vD1bmJQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WvZlW6rhWz19Hd;
	Thu, 29 Aug 2024 08:51:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47T8ppxm048749;
	Thu, 29 Aug 2024 08:51:51 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47T8pp5b048746;
	Thu, 29 Aug 2024 08:51:51 GMT
	(envelope-from git)
Date: Thu, 29 Aug 2024 08:51:51 GMT
Message-Id: <202408290851.47T8pp5b048746@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Nicola Vitale <nivit@FreeBSD.org>
Subject: git: 9567ab3ffe66 - main - devel/py-configobj: Fix security
  issue CVE-2023-26112
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: nivit
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 9567ab3ffe66f9d61898ab4ce8f5961ea2798d45
Auto-Submitted: auto-generated

The branch main has been updated by nivit:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9567ab3ffe66f9d61898ab4ce8f5961ea2798d45

commit 9567ab3ffe66f9d61898ab4ce8f5961ea2798d45
Author:     Nicola Vitale <nivit@FreeBSD.org>
AuthorDate: 2024-08-29 08:37:13 +0000
Commit:     Nicola Vitale <nivit@FreeBSD.org>
CommitDate: 2024-08-29 08:51:21 +0000

    devel/py-configobj: Fix security issue CVE-2023-26112
    
    - Add a patch to fix Regular Expression Denial of Service.
      It is an unofficial patch [1], but it has already been applied by
      other projects such as Debian or Fedora [2].
    
    - Bump PORTREVISION
    
    Reference:      https://github.com/DiffSK/configobj/pull/236 [1]
    Reference:      https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2]
    Reference:      https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2]
    
    Security:       CVE-2023-26112
---
 devel/py-configobj/Makefile                              |  2 +-
 devel/py-configobj/files/patch-src_configobj_validate.py | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/devel/py-configobj/Makefile b/devel/py-configobj/Makefile
index 148e09e20ef2..699f677cbc10 100644
--- a/devel/py-configobj/Makefile
+++ b/devel/py-configobj/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	configobj
 PORTVERSION=	5.0.8
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/devel/py-configobj/files/patch-src_configobj_validate.py b/devel/py-configobj/files/patch-src_configobj_validate.py
new file mode 100644
index 000000000000..72eb31a15105
--- /dev/null
+++ b/devel/py-configobj/files/patch-src_configobj_validate.py
@@ -0,0 +1,16 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+--- src/configobj/validate.py.orig	2023-01-18 22:28:31 UTC
++++ src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)