-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update python-future to version 0.18.2 / rev 14 via SR 1056169
https://build.opensuse.org/request/show/1056169 by user dgarcia + dimstar_suse - Add CVE-2022-40899.patch to fix REDoS in http.cookiejar gh#PythonCharmers/python-future#610 bsc#1206673
- Loading branch information
1 parent
60fea30
commit 4b7d384
Showing
5 changed files
with
98 additions
and
5 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
Index: future-0.16.0/src/future/backports/http/cookiejar.py | ||
=================================================================== | ||
--- future-0.16.0.orig/src/future/backports/http/cookiejar.py | ||
+++ future-0.16.0/src/future/backports/http/cookiejar.py | ||
@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile( | ||
(?::(\d\d))? # optional seconds | ||
)? # optional clock | ||
\s* | ||
- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone | ||
+ (?: | ||
+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone | ||
\s* | ||
- (?:\(\w+\))? # ASCII representation of timezone in parens. | ||
- \s*$""", re.X | re.ASCII) | ||
+ )? | ||
+ (?: | ||
+ \(\w+\) # ASCII representation of timezone in parens. | ||
+ \s* | ||
+ )?$""", re.X | re.ASCII) | ||
def http2time(text): | ||
"""Returns time in seconds since epoch of time represented by a string. | ||
|
||
@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile( | ||
(?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) | ||
)? # optional clock | ||
\s* | ||
- ([-+]?\d\d?:?(:?\d\d)? | ||
- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) | ||
- \s*$""", re.X | re. ASCII) | ||
+ (?: | ||
+ ([-+]?\d\d?:?(:?\d\d)? | ||
+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) | ||
+ \s* | ||
+ )?$""", re.X | re. ASCII) | ||
def iso2time(text): | ||
""" | ||
As for http2time, but parses the ISO 8601 formats: | ||
Index: future-0.16.0/tests/test_future/test_http_cookiejar.py | ||
=================================================================== | ||
--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py | ||
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py | ||
@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase): | ||
"http2time(%s) is not None\n" | ||
"http2time(test) %s" % (test, http2time(test))) | ||
|
||
+ def test_http2time_redos_regression_actually_completes(self): | ||
+ # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused | ||
+ # catastrophic backtracking (REDoS). If we regress to cubic complexity, | ||
+ # this test will take a very long time to succeed. If fixed, it should | ||
+ # complete within a fraction of a second. | ||
+ http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5)) | ||
+ http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5)) | ||
+ | ||
def test_iso2time(self): | ||
def parse_date(text): | ||
return time.gmtime(iso2time(text))[:6] | ||
@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase): | ||
"iso2time(%s) is not None\n" | ||
"iso2time(test) %s" % (test, iso2time(test))) | ||
|
||
+ def test_iso2time_performance_regression(self): | ||
+ # If ISO_DATE_RE regresses to quadratic complexity, this test will take | ||
+ # a very long time to succeed. If fixed, it should complete within a | ||
+ # fraction of a second. | ||
+ iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6)) | ||
+ iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6)) | ||
+ | ||
|
||
class HeaderTests(unittest.TestCase): | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,10 @@ | ||
------------------------------------------------------------------- | ||
Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia <[email protected]> | ||
|
||
- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar | ||
gh#PythonCharmers/python-future#610 | ||
bsc#1206673 | ||
|
||
------------------------------------------------------------------- | ||
Fri Mar 12 13:35:13 UTC 2021 - Matej Cepl <[email protected]> | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
# | ||
# spec file for package python-future | ||
# | ||
# Copyright (c) 2021 SUSE LLC | ||
# Copyright (c) 2023 SUSE LLC | ||
# | ||
# All modifications and additions to the file contributed by third parties | ||
# remain the property of their copyright owners, unless otherwise agreed | ||
|
@@ -16,7 +16,6 @@ | |
# | ||
|
||
|
||
%{?!python_module:%define python_module() python-%{**} python3-%{**}} | ||
Name: python-future | ||
Version: 0.18.2 | ||
Release: 0 | ||
|
@@ -33,6 +32,8 @@ Patch1: future-correct-mimetype.patch | |
# PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 [email protected] | ||
# Overcome incompatibilites with python 3.9 | ||
Patch2: python39-build.patch | ||
# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673 | ||
Patch3: CVE-2022-40899.patch | ||
BuildRequires: %{python_module pytest} | ||
BuildRequires: %{python_module setuptools} | ||
BuildRequires: fdupes | ||
|
@@ -43,7 +44,7 @@ BuildRequires: %{python_module dbm} | |
BuildRequires: python3-dbm | ||
%endif | ||
Requires(post): update-alternatives | ||
Requires(preun):update-alternatives | ||
Requires(postun):update-alternatives | ||
BuildArch: noarch | ||
%python_subpackages | ||
|
||
|
@@ -71,7 +72,7 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py | |
%post | ||
%{python_install_alternative futurize pasteurize} | ||
|
||
%preun | ||
%postun | ||
%python_uninstall_alternative futurize | ||
|
||
%check | ||
|
@@ -86,6 +87,10 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py | |
%license LICENSE.txt | ||
%python_alternative %{_bindir}/futurize | ||
%python_alternative %{_bindir}/pasteurize | ||
%{python_sitelib}/* | ||
%{python_sitelib}/future-%{version}*-info | ||
%{python_sitelib}/future | ||
%{python_sitelib}/libfuturize | ||
%{python_sitelib}/libpasteurize | ||
%{python_sitelib}/past | ||
|
||
%changelog |