commit: cda063145cccc62b96bc09f2b423e449d6dc134a Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Sat Dec 12 08:41:56 2020 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Sat Dec 12 09:09:38 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cda06314
dev-python/py: Backport CVE-2020-29651 fix Closes: https://bugs.gentoo.org/759547 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> dev-python/py/files/py-1.9.0-cve-2020-29651.patch | 31 ++++++++++++++++++++++ .../py/{py-1.9.0-r1.ebuild => py-1.9.0-r2.ebuild} | 4 +++ 2 files changed, 35 insertions(+) diff --git a/dev-python/py/files/py-1.9.0-cve-2020-29651.patch b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch new file mode 100644 index 00000000000..af89fb14808 --- /dev/null +++ b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch @@ -0,0 +1,31 @@ +From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001 +From: Ran Benita <[email protected]> +Date: Fri, 4 Sep 2020 13:57:26 +0300 +Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame + functionality + +The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject +to catastrophic backtracing given a string like `"1" * 5000`. + +SVN blame output seems to always have at least one space between the +revision number and the user name, so the ambiguity can be fixed by +changing the `*` to `+`. + +Fixes #256. +--- + py/_path/svnwc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py +index 3138dd85..b5b9d8d5 100644 +--- a/py/_path/svnwc.py ++++ b/py/_path/svnwc.py +@@ -396,7 +396,7 @@ def makecmdoptions(self): + def __str__(self): + return "<SvnAuth username=%s ...>" %(self.username,) + +-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)') ++rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') + + class SvnWCCommandPath(common.PathBase): + """ path implementation offering access/modification to svn working copies. diff --git a/dev-python/py/py-1.9.0-r1.ebuild b/dev-python/py/py-1.9.0-r2.ebuild similarity index 88% rename from dev-python/py/py-1.9.0-r1.ebuild rename to dev-python/py/py-1.9.0-r2.ebuild index 78e1479659e..c7102745bc3 100644 --- a/dev-python/py/py-1.9.0-r1.ebuild +++ b/dev-python/py/py-1.9.0-r2.ebuild @@ -14,6 +14,8 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" LICENSE="MIT" SLOT="0" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# This package is unmaintained and keeps being broken periodically. +RESTRICT=test BDEPEND=" dev-python/setuptools_scm[${PYTHON_USEDEP}]" @@ -21,6 +23,8 @@ BDEPEND=" PATCHES=( "${FILESDIR}"/${PN}-1.5.2-skip-apiwarn-pytest31.patch "${FILESDIR}"/${PN}-1.8.0-pytest-4.patch + # https://bugs.gentoo.org/759547 + "${FILESDIR}"/${P}-cve-2020-29651.patch ) distutils_enable_sphinx doc
