Bug#1037079: unblock: configobj/5.0.8-2

[Salvatore Bonaccorso]

Hi,

On Sun, Jun 04, 2023 at 09:50:23PM +0200, Sebastian Ramacher wrote:
> retitle 1037079 bookworm-pu: configobj/5.0.8-2
> tags 1037079 bookworm moreinfo
> user release.debian@packages.debian.org
> usertags 1037079 + pu - unblock
> thanks
> 
> Hi Stefano
> 
> On 2023-06-03 16:28:41 -0400, Stefano Rivera wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: config...@packages.debian.org
> > Control: affects -1 + src:configobj
> > 
> > Please unblock package configobj
> 
> We have entered the quiet periold of bookworm [1]. Please consider
> fixing this issue via bookworm-pu. As this update fixes a security
> issue, please also check with the Security Team in case this update is
> worth of a DSA.

As it does not warrant a DSA, the first bookworm point release is fine
for it.

Regards,
Salvatore

Bug#1037079: unblock: configobj/5.0.8-2

[Sebastian Ramacher]

retitle 1037079 bookworm-pu: configobj/5.0.8-2
tags 1037079 bookworm moreinfo
user release.debian@packages.debian.org
usertags 1037079 + pu - unblock
thanks

Hi Stefano

On 2023-06-03 16:28:41 -0400, Stefano Rivera wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: config...@packages.debian.org
> Control: affects -1 + src:configobj
> 
> Please unblock package configobj

We have entered the quiet periold of bookworm [1]. Please consider
fixing this issue via bookworm-pu. As this update fixes a security
issue, please also check with the Security Team in case this update is
worth of a DSA.

Cheers

[1] https://lists.debian.org/debian-devel-announce/2023/06/msg0.html
-- 
Sebastian Ramacher

Bug#1037079: unblock: configobj/5.0.8-2

[Stefano Rivera]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config...@packages.debian.org
Control: affects -1 + src:configobj

Please unblock package configobj

[ Reason ]
Resolves a (minor) security issue. The patch only became available
recently.

It resolves a ReDoS attack (regular expression denial of service)
potentially caused by parsing untrusted configuration files.

[ Impact ]
Ship with an outstanding (very minor) security issue.

[ Tests ]
The patch includes a regression test.

The package test suite passes.

[ Risks ]
Trivial change to a regex, which looks reasonable.

The upstream hasn't reviewed it, yet.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock configobj/5.0.8-2
diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog
--- configobj-5.0.8/debian/changelog2023-01-26 18:57:36.0 -0400
+++ configobj-5.0.8/debian/changelog2023-06-03 16:23:41.0 -0400
@@ -1,3 +1,11 @@
+configobj (5.0.8-2) unstable; urgency=medium
+
+  * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
+attack. (Closes: #1034152)
+  * Clean correctly.
+
+ -- Stefano Rivera   Sat, 03 Jun 2023 16:23:41 -0400
+
 configobj (5.0.8-1) unstable; urgency=medium
 
   * New upstream release!
diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean
--- configobj-5.0.8/debian/clean1969-12-31 20:00:00.0 -0400
+++ configobj-5.0.8/debian/clean2023-06-03 16:23:41.0 -0400
@@ -0,0 +1 @@
+src/configobj.egg-info/*
diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112 
configobj-5.0.8/debian/patches/CVE-2023-26112
--- configobj-5.0.8/debian/patches/CVE-2023-26112   1969-12-31 
20:00:00.0 -0400
+++ configobj-5.0.8/debian/patches/CVE-2023-26112   2023-06-03 
16:23:41.0 -0400
@@ -0,0 +1,48 @@
+From: cdcadman 
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+---
+ src/configobj/validate.py |  2 +-
+ src/tests/test_validate_errors.py | 10 +-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
 b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+ """
+ 
+ # this regex does the initial parsing of the checks
+-_func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++_func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+ # this regex takes apart keyword arguments
+ _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  
re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py 
b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
 b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+ 
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+ 
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+ ini.write('[[haha]]')
+ with pytest.raises(NestingError):
+ conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++value = "aaa"
++i = 165100
++attack = '\x00'*i + ')' + '('*i
++with pytest.raises(VdtUnknownCheckError):
++val.check(attack, value)
diff -Nru configobj-5.0.8/debian/patches/series 
configobj-5.0.8/debian/patches/series
--- configobj-5.0.8/debian/patches/series   1969-12-31 20:00:00.0 
-0400
+++ configobj-5.0.8/debian/patches/series   2023-06-03 16:23:41.0 
-0400
@@ -0,0 +1 @@
+CVE-2023-26112