Skip to content

Commit

Permalink
Update python-future to version 0.18.2 / rev 14 via SR 1056169
Browse files Browse the repository at this point in the history
https://build.opensuse.org/request/show/1056169
by user dgarcia + dimstar_suse
- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
  gh#PythonCharmers/python-future#610
  bsc#1206673
  • Loading branch information
dgarcia authored and bmwiedemann committed Jan 6, 2023
1 parent 60fea30 commit 4b7d384
Show file tree
Hide file tree
Showing 5 changed files with 98 additions and 5 deletions.
Binary file modified packages/p/python-future/.files
Binary file not shown.
11 changes: 11 additions & 0 deletions packages/p/python-future/.rev
Original file line number Diff line number Diff line change
Expand Up @@ -123,4 +123,15 @@
</comment>
<requestid>878588</requestid>
</revision>
<revision rev="14" vrev="4">
<srcmd5>5491b4715ec1afd0cb6cf8b5fb1726d6</srcmd5>
<version>0.18.2</version>
<time>1673021063</time>
<user>dimstar_suse</user>
<comment>- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
gh#PythonCharmers/python-future#610
bsc#1206673
</comment>
<requestid>1056169</requestid>
</revision>
</revisionlist>
70 changes: 70 additions & 0 deletions packages/p/python-future/CVE-2022-40899.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
Index: future-0.16.0/src/future/backports/http/cookiejar.py
===================================================================
--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
+++ future-0.16.0/src/future/backports/http/cookiejar.py
@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
(?::(\d\d))? # optional seconds
)? # optional clock
\s*
- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+ (?:
+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
\s*
- (?:\(\w+\))? # ASCII representation of timezone in parens.
- \s*$""", re.X | re.ASCII)
+ )?
+ (?:
+ \(\w+\) # ASCII representation of timezone in parens.
+ \s*
+ )?$""", re.X | re.ASCII)
def http2time(text):
"""Returns time in seconds since epoch of time represented by a string.

@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
(?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional)
)? # optional clock
\s*
- ([-+]?\d\d?:?(:?\d\d)?
- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT)
- \s*$""", re.X | re. ASCII)
+ (?:
+ ([-+]?\d\d?:?(:?\d\d)?
+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT)
+ \s*
+ )?$""", re.X | re. ASCII)
def iso2time(text):
"""
As for http2time, but parses the ISO 8601 formats:
Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
===================================================================
--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py
@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
"http2time(%s) is not None\n"
"http2time(test) %s" % (test, http2time(test)))

+ def test_http2time_redos_regression_actually_completes(self):
+ # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
+ # catastrophic backtracking (REDoS). If we regress to cubic complexity,
+ # this test will take a very long time to succeed. If fixed, it should
+ # complete within a fraction of a second.
+ http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
+ http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
+
def test_iso2time(self):
def parse_date(text):
return time.gmtime(iso2time(text))[:6]
@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
"iso2time(%s) is not None\n"
"iso2time(test) %s" % (test, iso2time(test)))

+ def test_iso2time_performance_regression(self):
+ # If ISO_DATE_RE regresses to quadratic complexity, this test will take
+ # a very long time to succeed. If fixed, it should complete within a
+ # fraction of a second.
+ iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
+ iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
+

class HeaderTests(unittest.TestCase):

7 changes: 7 additions & 0 deletions packages/p/python-future/python-future.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia <[email protected]>

- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
gh#PythonCharmers/python-future#610
bsc#1206673

-------------------------------------------------------------------
Fri Mar 12 13:35:13 UTC 2021 - Matej Cepl <[email protected]>

Expand Down
15 changes: 10 additions & 5 deletions packages/p/python-future/python-future.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# spec file for package python-future
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
Expand All @@ -16,7 +16,6 @@
#


%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-future
Version: 0.18.2
Release: 0
Expand All @@ -33,6 +32,8 @@ Patch1: future-correct-mimetype.patch
# PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 [email protected]
# Overcome incompatibilites with python 3.9
Patch2: python39-build.patch
# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673
Patch3: CVE-2022-40899.patch
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
Expand All @@ -43,7 +44,7 @@ BuildRequires: %{python_module dbm}
BuildRequires: python3-dbm
%endif
Requires(post): update-alternatives
Requires(preun):update-alternatives
Requires(postun):update-alternatives
BuildArch: noarch
%python_subpackages

Expand Down Expand Up @@ -71,7 +72,7 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
%post
%{python_install_alternative futurize pasteurize}

%preun
%postun
%python_uninstall_alternative futurize

%check
Expand All @@ -86,6 +87,10 @@ sed -i -e '/^#!\//, 1d' src/future/backports/test/pystone.py
%license LICENSE.txt
%python_alternative %{_bindir}/futurize
%python_alternative %{_bindir}/pasteurize
%{python_sitelib}/*
%{python_sitelib}/future-%{version}*-info
%{python_sitelib}/future
%{python_sitelib}/libfuturize
%{python_sitelib}/libpasteurize
%{python_sitelib}/past

%changelog

0 comments on commit 4b7d384

Please sign in to comment.