!31 [sync] PR-28: fix CVE-2021-46823

From: @openeuler-sync-bot Reviewed-by: @compile_success Signed-off-by: @compile_success
2022-07-27 07:08:21 +00:00 · 2022-07-27 07:08:21 +00:00 · cc4f3bcd3f
commit cc4f3bcd3f
parent 154f876d70 d2256dde7a
3 changed files with 104 additions and 2 deletions
--- a/backport-0001-CVE-2021-46823.patch
+++ b/backport-0001-CVE-2021-46823.patch
@ -0,0 +1,74 @@
+From 7e084aec1ba9ced25b44fd3db77e65242a827806 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 6 May 2020 15:48:46 +0100
+Subject: [PATCH] Get rid of expected failures in tokenizer tests
+
+https://github.com/python-ldap/python-ldap/pull/283
+---
+ Lib/ldap/schema/tokenizer.py     | 10 +++++++---
+ Tests/t_ldap_schema_tokenizer.py |  6 ++----
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py
+index 20958c09..69823f2b 100644
+--- a/Lib/ldap/schema/tokenizer.py
+++ b/Lib/ldap/schema/tokenizer.py
+@@ -13,12 +13,16 @@
+     r"|"              # or
+     r"([^'$()\s]+)"   # string of length >= 1 without '$() or whitespace
+     r"|"              # or
+-    r"('.*?'(?!\w))"  # any string or empty string surrounded by single quotes
+-                      # except if right quote is succeeded by alphanumeric char
+    r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
+                      # any string or empty string surrounded by unescaped
+                      # single quotes except if right quote is succeeded by
+                      # alphanumeric char
+     r"|"              # or
+     r"([^\s]+?)",     # residue, all non-whitespace strings
+ ).findall
+ 
+UNESCAPE_PATTERN = re.compile(r"\\(.)")
+
+ 
+ def split_tokens(s):
+     """
+@@ -30,7 +34,7 @@ def split_tokens(s):
+         if unquoted:
+             parts.append(unquoted)
+         elif quoted:
+-            parts.append(quoted[1:-1])
+            parts.append(UNESCAPE_PATTERN.sub(r'\1', quoted[1:-1]))
+         elif opar:
+             parens += 1
+             parts.append(opar)
+diff --git a/Tests/t_ldap_schema_tokenizer.py b/Tests/t_ldap_schema_tokenizer.py
+index c8581771..0890379a 100644
+--- a/Tests/t_ldap_schema_tokenizer.py
+++ b/Tests/t_ldap_schema_tokenizer.py
+@@ -44,8 +44,8 @@
+ 
+ # broken schema of Oracle Internet Directory
+ TESTCASES_BROKEN_OID = (
+-    ("BLUBB DI 'BLU B B ER'MUST 'BLAH' ", ['BLUBB', 'DI', 'BLU B B ER', 'MUST', 'BLAH']),
+-    ("BLUBBER DI 'BLU'BB ER' DA 'BLAH' ", ["BLUBBER", "DI", "BLU'BB ER", "DA", "BLAH"]),
+    "BLUBB DI 'BLU B B ER'MUST 'BLAH' ", #['BLUBB', 'DI', 'BLU B B ER', 'MUST', 'BLAH']
+    "BLUBBER DI 'BLU'BB ER' DA 'BLAH' ", #["BLUBBER", "DI", "BLU'BB ER", "DA", "BLAH"]
+ )
+ 
+ # for quoted single quotes inside string values
+@@ -104,14 +104,12 @@ def test_utf8(self):
+         """
+         self._run_split_tokens_tests(TESTCASES_UTF8)
+ 
+-    @unittest.expectedFailure
+     def test_broken_oid(self):
+         """
+         run test cases specified in constant TESTCASES_BROKEN_OID
+         """
+         self._run_failure_tests(TESTCASES_BROKEN_OID)
+ 
+-    @unittest.expectedFailure
+     def test_escaped_quotes(self):
+         """
+         run test cases specified in constant TESTCASES_ESCAPED_QUOTES
+
--- a/backport-0002-CVE-2021-46823.patch
+++ b/backport-0002-CVE-2021-46823.patch
@ -0,0 +1,22 @@
+From faa011b41f7141121546045925d809d54e70f5fd Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 15 Oct 2021 15:21:37 +0100
+Subject: [PATCH] Fix ReDoS in regex.
+
+---
+ Lib/ldap/schema/tokenizer.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py
+index 69823f2b..623b86d5 100644
+--- a/Lib/ldap/schema/tokenizer.py
+++ b/Lib/ldap/schema/tokenizer.py
+@@ -13,7 +13,7 @@
+     r"|"              # or
+     r"([^'$()\s]+)"   # string of length >= 1 without '$() or whitespace
+     r"|"              # or
+-    r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
+    r"('(?:[^'\\]|\\.)*'(?!\w))"
+                       # any string or empty string surrounded by unescaped
+                       # single quotes except if right quote is succeeded by
+                       # alphanumeric char
--- a/python-ldap.spec
+++ b/python-ldap.spec
@ -1,12 +1,15 @@
 %define debug_package %{nil}
 Name:		python-ldap	
 Version:	3.1.0
-Release:	3
+Release:	4
 Summary:	An object-oriented API to access LDAP directory servers
 License:	Python
 URL:		http://python-ldap.org/
 Source0:	https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz

+Patch0:		backport-0001-CVE-2021-46823.patch
+Patch1:		backport-0002-CVE-2021-46823.patch
+
 BuildRequires:	gcc openldap-devel openssl-devel cyrus-sasl-devel
 BuildRequires:  python3-devel python3-setuptools openldap-servers

@ -35,7 +38,7 @@ OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks\
 %package_help

 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{version}
 find . -name '*.py' | xargs sed -i '1s|^#!/usr/bin/env python|#!%{__python3}|'
 sed -i 's,-Werror,-Wignore,g' tox.ini
 %build
@ -56,6 +59,9 @@ sed -i 's,-Werror,-Wignore,g' tox.ini
 %doc CHANGES README TODO Demo

 %changelog
+* Tue Jul 26 2022 zhouwenpei<zhouwenpei1@h-partners.com> - 3.1.0-4
+- fix CVE-2021-46823
+
 * Wed Oct 14 2020 shixuantong<shixuantong@huawei.com> - 3.1.0-3
 - delete useless buildrequires