Control: tags 979597 + patch Control: tags 979597 + pending
Dear maintainer, I've prepared an NMU for cairosvg (versioned as 2.5.0-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog --- cairosvg-2.5.0/debian/changelog 2020-11-30 17:51:18.000000000 +0100 +++ cairosvg-2.5.0/debian/changelog 2021-01-16 09:45:26.000000000 +0100 @@ -1,3 +1,11 @@ +cairosvg (2.5.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Don't use overlapping groups for regular expressions (CVE-2021-21236) + (Closes: #979597) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 16 Jan 2021 09:45:26 +0100 + cairosvg (2.5.0-1) unstable; urgency=low [ Debian Janitor ] diff -Nru cairosvg-2.5.0/debian/patches/0002-Don-t-use-overlapping-groups-for-regular-expressions.patch cairosvg-2.5.0/debian/patches/0002-Don-t-use-overlapping-groups-for-regular-expressions.patch --- cairosvg-2.5.0/debian/patches/0002-Don-t-use-overlapping-groups-for-regular-expressions.patch 1970-01-01 01:00:00.000000000 +0100 +++ cairosvg-2.5.0/debian/patches/0002-Don-t-use-overlapping-groups-for-regular-expressions.patch 2021-01-16 09:43:01.000000000 +0100 @@ -0,0 +1,59 @@ +From: Guillaume Ayoub <guilla...@courtbouillon.org> +Date: Fri, 1 Jan 2021 00:05:55 +0100 +Subject: =?UTF-8?q?Don=E2=80=99t=20use=20overlapping=20groups=20for=20regu?= + =?UTF-8?q?lar=20expressions?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc +Bug-Debian: https://bugs.debian.org/979597 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-21236 + +The section between 'rgb(' and the final ')' contains multiple overlapping +groups. + +Since all three infinitely repeating groups accept spaces, a long string of +spaces causes catastrophic backtracking when it is not followed by a closing +parenthesis. + +The complexity is cubic, so doubling the length of the malicious string of +spaces makes processing take 8 times as long. +--- + cairosvg/colors.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/cairosvg/colors.py b/cairosvg/colors.py +index 96d94e1a3210..68eed88db2c7 100644 +--- a/cairosvg/colors.py ++++ b/cairosvg/colors.py +@@ -187,8 +187,8 @@ COLORS = { + 'transparent': (0, 0, 0, 0), + } + +-RGBA = re.compile(r'rgba\([ \n\r\t]*(.+?)[ \n\r\t]*\)') +-RGB = re.compile(r'rgb\([ \n\r\t]*(.+?)[ \n\r\t]*\)') ++RGBA = re.compile(r'rgba\((.+?)\)') ++RGB = re.compile(r'rgb\((.+?)\)') + HEX_RRGGBB = re.compile('#[0-9a-f]{6}') + HEX_RGB = re.compile('#[0-9a-f]{3}') + +@@ -212,14 +212,14 @@ def color(string, opacity=1): + if match: + r, g, b, a = tuple( + float(i.strip(' %')) / 100 if '%' in i else float(i) / 255 +- for i in match.group(1).split(',')) ++ for i in match.group(1).strip().split(',')) + return (r, g, b, a * 255 * opacity) + + match = RGB.search(string) + if match: + r, g, b = tuple( + float(i.strip(' %')) / 100 if '%' in i else float(i) / 255 +- for i in match.group(1).split(',')) ++ for i in match.group(1).strip().split(',')) + return (r, g, b, opacity) + + match = HEX_RRGGBB.search(string) +-- +2.30.0 + diff -Nru cairosvg-2.5.0/debian/patches/series cairosvg-2.5.0/debian/patches/series --- cairosvg-2.5.0/debian/patches/series 2020-11-30 17:51:18.000000000 +0100 +++ cairosvg-2.5.0/debian/patches/series 2021-01-16 09:43:43.000000000 +0100 @@ -1 +1,2 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch +0002-Don-t-use-overlapping-groups-for-regular-expressions.patch
