packages/future
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!15 [sync] PR-10: Fix CVE-2022-40899

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-03-13 03:34:56 +00:00 committed by Gitee
commit e440c1625d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
CVE-2022-40899.patch Normal file
View File

@ -0,0 +1,52 @@
From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001
From: Will Shanks <wshaos@posteo.net>
Date: Fri, 23 Dec 2022 13:38:26 -0500
Subject: [PATCH] Backport fix for bpo-38804
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS). The regex contained multiple
overlapping \s* capture groups. A long sequence of spaces can trigger
bad performance.
See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
---
src/future/backports/http/cookiejar.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py
index af3ef415..0ad80a02 100644
--- a/src/future/backports/http/cookiejar.py
+++ b/src/future/backports/http/cookiejar.py
@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz):
(?::(\d\d))? # optional seconds
)? # optional clock
\s*
- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+ (?:
+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
+ \s*
+ )?
+ (?:
+ \(\w+\) # ASCII representation of timezone in parens.
\s*
- (?:\(\w+\))? # ASCII representation of timezone in parens.
- \s*$""", re.X | re.ASCII)
+ )?$""", re.X | re.ASCII)
def http2time(text):
"""Returns time in seconds since epoch of time represented by a string.
@@ -298,9 +302,11 @@ def http2time(text):
(?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional)
)? # optional clock
\s*
- ([-+]?\d\d?:?(:?\d\d)?
- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT)
- \s*$""", re.X | re. ASCII)
+ (?:
+ ([-+]?\d\d?:?(:?\d\d)?
+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT)
+ \s*
+ )?$""", re.X | re. ASCII)
def iso2time(text):
"""
As for http2time, but parses the ISO 8601 formats:

9
future.spec
View File

@ -12,11 +12,12 @@ you can convert you Python code to support both version.
Name: future Name: future
Version: 0.16.0 Version: 0.16.0
Release: 11 Release: 12
Summary: Missing compatibility layer between Python 2 and Python 3 Summary: Missing compatibility layer between Python 2 and Python 3
License: MIT License: MIT
URL: http://python-future.org/ URL: http://python-future.org/
Source0: https://github.com/PythonCharmers/python-future/archive/v%{version}.tar.gz#/python-future-%{version}.tar.gz Source0: https://github.com/PythonCharmers/python-future/archive/v%{version}.tar.gz#/python-future-%{version}.tar.gz
Patch0: CVE-2022-40899.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -39,11 +40,12 @@ BuildRequires: python3-devel python3-setuptools python3-numpy python3-requests
%{desc} %{desc}
%prep %prep
%autosetup -c -p1 %setup -qc
mv python-future-%{version} python2 mv python-future-%{version} python2
cd python2 cd python2
find -name '*.py' | xargs sed -i '1s|^#!python|#!%{__python2}|' find -name '*.py' | xargs sed -i '1s|^#!python|#!%{__python2}|'
%patch0 -p1
cd .. cd ..
cp -a python2 python3 cp -a python2 python3
@ -131,6 +133,9 @@ cd ..
%{python3_sitelib}/* %{python3_sitelib}/*
%changelog %changelog
* Fri Mar 10 2023 yaoxin <yaoxin30@h-partners.com> - 0.16.0-12
- Fix CVE-2022-40899
* Thu Jan 09 2020 lihao <lihao129@huawei.com> - 0.16.0-11 * Thu Jan 09 2020 lihao <lihao129@huawei.com> - 0.16.0-11
- Package Init - Package Init