packages/python-py
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-29651

Browse Source 
(cherry picked from commit 2d7c885024fc788a69976a585f0f35e47adf7fce)
This commit is contained in:
houyingchao 2022-02-23 16:55:36 +08:00 committed by openeuler-sync-bot
parent 978fd8c3be
commit 3da5bcab72
2 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CVE-2020-29651.patch Normal file
View File

@ -0,0 +1,31 @@
From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001
From: Ran Benita <ran@unusedvar.com>
Date: Fri, 4 Sep 2020 13:57:26 +0300
Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame
functionality
The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject
to catastrophic backtracing given a string like `"1" * 5000`.
SVN blame output seems to always have at least one space between the
revision number and the user name, so the ambiguity can be fixed by
changing the `*` to `+`.
Fixes #256.
---
py/_path/svnwc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/py-1.5.4/py/_path/svnwc.py b/py-1.5.4/py/_path/svnwc.py
index 3138dd85..b5b9d8d5 100644
--- a/py-1.5.4/py/_path/svnwc.py
+++ b/py-1.5.4/py/_path/svnwc.py
@@ -396,7 +396,7 @@ def makecmdoptions(self):
def __str__(self):
return "<SvnAuth username=%s ...>" %(self.username,)
-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
+rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)')
class SvnWCCommandPath(common.PathBase):
""" path implementation offering access/modification to svn working copies.

8
python-py.spec
View File

@ -8,11 +8,12 @@
Name: python-%{modname} Name: python-%{modname}
Version: 1.5.4 Version: 1.5.4
Release: 4 Release: 5
Summary: Library with cross-python path, ini-parsing, io, code, log facilities Summary: Library with cross-python path, ini-parsing, io, code, log facilities
License: MIT and Public Domain License: MIT and Public Domain
URL: http://pylib.readthedocs.io/en/stable/ URL: http://pylib.readthedocs.io/en/stable/
Source: https://files.pythonhosted.org/packages/source/p/%{modname}/%{modnameversion}.tar.gz Source: https://files.pythonhosted.org/packages/source/p/%{modname}/%{modnameversion}.tar.gz
Patch0: CVE-2020-29651.patch
BuildArch: noarch BuildArch: noarch
%if %{with tests} %if %{with tests}
@ -70,7 +71,7 @@ Obsoletes: platform-python-%{modname} < %{version}-%{release}
%endif %endif
%prep %prep
%autosetup -c -n %{modnameversion} %autosetup -c -n %{modnameversion} -p1
find %{modnameversion} \ find %{modnameversion} \
-type f -a \( -name '*.py' -o -name 'py.*' \) \ -type f -a \( -name '*.py' -o -name 'py.*' \) \
@ -133,5 +134,8 @@ popd
%endif %endif
%changelog %changelog
* Wed Feb 23 2020 houyingchao <houyingchao@huawei.com> - 1.5.4-5
- Fix CVE-2020-29651
* Tue Dec 10 2019 mengxian <mengxian@huawei.com> - 1.5.4-4 * Tue Dec 10 2019 mengxian <mengxian@huawei.com> - 1.5.4-4
- Package init - Package init