From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112
Signed-off-by: Ankur Tyagi <[email protected]> --- .../python3-configobj/CVE-2023-26112.patch | 25 +++++++++++++++++++ .../python/python3-configobj_5.0.8.bb | 2 ++ 2 files changed, 27 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch diff --git a/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch new file mode 100644 index 0000000000..f9bdcd31b0 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch @@ -0,0 +1,25 @@ +From dd9cf3579d90d1f8c6d06f293cd0958be5ca5518 Mon Sep 17 00:00:00 2001 +From: cdcadman <[email protected]> +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: [PATCH] Address CVE-2023-26112 ReDoS + +CVE: CVE-2023-26112 +Upstream-Status: Backport [https://github.com/DiffSK/configobj/commit/a82ea8fb0338f2bd46cf627c4b763094448e6bd7] +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/configobj/validate.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/configobj/validate.py b/src/configobj/validate.py +index 9267a3f..98d879f 100644 +--- a/src/configobj/validate.py ++++ b/src/configobj/validate.py +@@ -541,7 +541,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) diff --git a/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb b/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb index 8dc706fdfd..2f0d1e7203 100644 --- a/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb +++ b/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3d6f99b84d9a94610c62e48fa2e59e72" PYPI_PACKAGE = "configobj" SRC_URI[sha256sum] = "6f704434a07dc4f4dc7c9a745172c1cad449feb548febd9f7fe362629c627a97" +SRC_URI += "file://CVE-2023-26112.patch" + inherit pypi setuptools3 RDEPENDS:${PN} += " \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123459): https://lists.openembedded.org/g/openembedded-devel/message/123459 Mute This Topic: https://lists.openembedded.org/mt/117260219/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
