Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config...@packages.debian.org
Control: affects -1 + src:configobj
Please unblock package configobj
[ Reason ]
Resolves a (minor) security issue. The patch only became available
recently.
It resolves a ReDoS attack (regular expression denial of service)
potentially caused by parsing untrusted configuration files.
[ Impact ]
Ship with an outstanding (very minor) security issue.
[ Tests ]
The patch includes a regression test.
The package test suite passes.
[ Risks ]
Trivial change to a regex, which looks reasonable.
The upstream hasn't reviewed it, yet.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock configobj/5.0.8-2
diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog
--- configobj-5.0.8/debian/changelog2023-01-26 18:57:36.0 -0400
+++ configobj-5.0.8/debian/changelog2023-06-03 16:23:41.0 -0400
@@ -1,3 +1,11 @@
+configobj (5.0.8-2) unstable; urgency=medium
+
+ * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
+attack. (Closes: #1034152)
+ * Clean correctly.
+
+ -- Stefano Rivera Sat, 03 Jun 2023 16:23:41 -0400
+
configobj (5.0.8-1) unstable; urgency=medium
* New upstream release!
diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean
--- configobj-5.0.8/debian/clean1969-12-31 20:00:00.0 -0400
+++ configobj-5.0.8/debian/clean2023-06-03 16:23:41.0 -0400
@@ -0,0 +1 @@
+src/configobj.egg-info/*
diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112
configobj-5.0.8/debian/patches/CVE-2023-26112
--- configobj-5.0.8/debian/patches/CVE-2023-26112 1969-12-31
20:00:00.0 -0400
+++ configobj-5.0.8/debian/patches/CVE-2023-26112 2023-06-03
16:23:41.0 -0400
@@ -0,0 +1,48 @@
+From: cdcadman
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+---
+ src/configobj/validate.py | 2 +-
+ src/tests/test_validate_errors.py | 10 +-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+ """
+
+ # this regex does the initial parsing of the checks
+-_func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++_func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+
+ # this regex takes apart keyword arguments
+ _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',
re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py
b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+ ini.write('[[haha]]')
+ with pytest.raises(NestingError):
+ conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++value = "aaa"
++i = 165100
++attack = '\x00'*i + ')' + '('*i
++with pytest.raises(VdtUnknownCheckError):
++val.check(attack, value)
diff -Nru configobj-5.0.8/debian/patches/series
configobj-5.0.8/debian/patches/series
--- configobj-5.0.8/debian/patches/series 1969-12-31 20:00:00.0
-0400
+++ configobj-5.0.8/debian/patches/series 2023-06-03 16:23:41.0
-0400
@@ -0,0 +1 @@
+CVE-2023-26112