!15 [sync] PR-10: Fix CVE-2022-40899

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-03-13 03:34:56 +00:00 · 2023-03-13 03:34:56 +00:00 · e440c1625d
commit e440c1625d
parent abe1df67f0 69ab8c560e
2 changed files with 59 additions and 2 deletions
--- a/CVE-2022-40899.patch
+++ b/CVE-2022-40899.patch
@ -0,0 +1,52 @@
+From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001
+From: Will Shanks <wshaos@posteo.net>
+Date: Fri, 23 Dec 2022 13:38:26 -0500
+Subject: [PATCH] Backport fix for bpo-38804
+
+The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
+expression denial of service (REDoS). The regex contained multiple
+overlapping \s* capture groups. A long sequence of spaces can trigger
+bad performance.
+
+See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
+---
+ src/future/backports/http/cookiejar.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py
+index af3ef415..0ad80a02 100644
+--- a/src/future/backports/http/cookiejar.py
+++ b/src/future/backports/http/cookiejar.py
+@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz):
+        (?::(\d\d))?    # optional seconds
+     )?                 # optional clock
+        \s*
+-    ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+    (?:
+       ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
+       \s*
+    )?
+    (?:
+       \(\w+\)         # ASCII representation of timezone in parens.
+        \s*
+-    (?:\(\w+\))?       # ASCII representation of timezone in parens.
+-       \s*$""", re.X | re.ASCII)
+    )?$""", re.X | re.ASCII)
+ def http2time(text):
+     """Returns time in seconds since epoch of time represented by a string.
+ 
+@@ -298,9 +302,11 @@ def http2time(text):
+       (?::?(\d\d(?:\.\d*)?))?  # optional seconds (and fractional)
+    )?                    # optional clock
+       \s*
+-   ([-+]?\d\d?:?(:?\d\d)?
+-    |Z|z)?               # timezone  (Z is "zero meridian", i.e. GMT)
+-      \s*$""", re.X | re. ASCII)
+   (?:
+      ([-+]?\d\d?:?(:?\d\d)?
+       |Z|z)             # timezone  (Z is "zero meridian", i.e. GMT)
+      \s*
+   )?$""", re.X | re. ASCII)
+ def iso2time(text):
+     """
+     As for http2time, but parses the ISO 8601 formats:
--- a/future.spec
+++ b/future.spec
@ -12,11 +12,12 @@ you can convert you Python code to support both version.

 Name:           future
 Version:        0.16.0
-Release:        11
+Release:        12
 Summary:        Missing compatibility layer between Python 2 and Python 3
 License:        MIT
 URL:            http://python-future.org/
 Source0:        https://github.com/PythonCharmers/python-future/archive/v%{version}.tar.gz#/python-future-%{version}.tar.gz
+Patch0:         CVE-2022-40899.patch
 BuildArch:      noarch

 %description
@ -39,11 +40,12 @@ BuildRequires:  python3-devel python3-setuptools python3-numpy python3-requests
 %{desc}

 %prep
-%autosetup -c -p1
+%setup -qc

 mv python-future-%{version} python2
 cd python2
 find -name '*.py' | xargs sed -i '1s|^#!python|#!%{__python2}|'
+%patch0 -p1
 cd ..

 cp -a python2 python3
@ -131,6 +133,9 @@ cd ..
 %{python3_sitelib}/*

 %changelog
+* Fri Mar 10 2023 yaoxin <yaoxin30@h-partners.com> - 0.16.0-12
+- Fix CVE-2022-40899
+
 * Thu Jan 09 2020 lihao <lihao129@huawei.com> - 0.16.0-11
 - Package Init