Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1138216,
regarding bookworm-pu: package python3-pymatgen/2022.11.7+dfsg1-11+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138216
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python3-pymatgen
User: [email protected]
Usertags: pu bsp-2026-05-07-brazil

[ Reason ]
Fix ReDoS vulnerability in pymatgen: CVE-2022-42964. [1]

[ Impact ]
A crafted Gaussian input string can trigger exponential
backtracking in GaussianInput.from_string, leading to
excessive CPU usage and potential denial of service.

[ Tests ]
The vulnerable code path was tested with the proposed
patch applied.

[ Risks ]
Low risk. The change is limited to the Gaussian input
parser and is a targeted backport of the upstream fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream patch fixing ReDoS in
GaussianInput.from_string.

[ Other info ]
Testing against the version currently available in bookworm
did not reveal any issues. However, while testing with the
python3.11 version currently in bookworm-proposed-updates,
I observed an autopkgtest failure in a reverse dependency.

At this point it is still unclear whether the issue is caused
by a regression in python3.11 or by the reverse dependency
itself.

As part of that investigation, an existing patch in
python-emmet-core appears to mitigate the observed failure.
If further action is required, a separate bookworm-pu request
will be filed for that package.

@dparsons has reviewed this backport and will sponsor it.
diff -Nru pymatgen-2022.11.7+dfsg1/debian/changelog 
pymatgen-2022.11.7+dfsg1/debian/changelog
--- pymatgen-2022.11.7+dfsg1/debian/changelog   2024-08-28 10:15:13.000000000 
-0300
+++ pymatgen-2022.11.7+dfsg1/debian/changelog   2026-05-27 08:45:16.000000000 
-0300
@@ -1,3 +1,12 @@
+pymatgen (2022.11.7+dfsg1-11+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches:
+    - CVE-2022-42964: Import and backport patch (Closes: #1024017)
+      (Fix exponential ReDoS in GaussianInput.from_string method)
+
+ -- Matheus Polkorny <[email protected]>  Wed, 27 May 2026 08:45:16 -0300
+
 pymatgen (2022.11.7+dfsg1-11+deb12u1) bookworm-security; urgency=medium
 
   * CVE-2024-23346 (Closes: #1064514)
diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch 
pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch
--- pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch        
1969-12-31 21:00:00.000000000 -0300
+++ pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch        
2026-05-27 08:45:16.000000000 -0300
@@ -0,0 +1,24 @@
+From: Luis Barroso-Luque <[email protected]>
+Date: Tue, 12 Aug 2025 17:03:47 -0700
+Subject: patch ReDOS vulnerability:
+ 
https://salsa.debian.org/debichem-team/pymatgen/-/commit/dcba4226dfc59789070bd1f7aa40b953e7722651
+ (#4476)
+
+Origin: upstream, 
https://github.com/materialsproject/pymatgen/commit/0f5c4af439817a7742dc2d4608357cc252f655f8
+---
+ pymatgen/io/gaussian.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pymatgen/io/gaussian.py b/pymatgen/io/gaussian.py
+index c17bdbc..76fbae8 100644
+--- a/pymatgen/io/gaussian.py
++++ b/pymatgen/io/gaussian.py
+@@ -90,7 +90,7 @@ class GaussianInput:
+     """
+ 
+     # Commonly used regex patterns
+-    _zmat_patt = re.compile(r"^(\w+)*([\s,]+(\w+)[\s,]+(\w+))*[\-\.\s,\w]*$")
++    _zmat_patt = 
re.compile(r"^(\w+)([\s,]+(\w+)[\s,]+(\w+)){0,3}[\-\.\s,\w]*$")
+     _xyz_patt = 
re.compile(r"^(\w+)[\s,]+([\d\.eE\-]+)[\s,]+([\d\.eE\-]+)[\s,]+" 
r"([\d\.eE\-]+)[\-\.\s,\w.]*$")
+ 
+     def __init__(
diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/series 
pymatgen-2022.11.7+dfsg1/debian/patches/series
--- pymatgen-2022.11.7+dfsg1/debian/patches/series      2024-08-28 
10:15:13.000000000 -0300
+++ pymatgen-2022.11.7+dfsg1/debian/patches/series      2026-05-27 
08:45:16.000000000 -0300
@@ -12,3 +12,4 @@
 stress_fp_approx_2839.patch
 no_mp_api.patch
 CVE-2024-23346.patch
+CVE-2022-42964.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to