CVE-2020-29651 is a compute time DoS attack when py.path.svnwc component
of python-py is exploited by supplying malicious input to the blame
functionality.
Change-Id: I7ebbc7be0557b679b60de1cc73b27a7aad966b57
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/13763
Reviewed-by: Tapas Kundu <tkundu@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,31 @@ |
0 |
+From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Ran Benita <ran@unusedvar.com> |
|
2 |
+Date: Fri, 4 Sep 2020 13:57:26 +0300 |
|
3 |
+Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame |
|
4 |
+ functionality |
|
5 |
+ |
|
6 |
+The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject |
|
7 |
+to catastrophic backtracing given a string like `"1" * 5000`. |
|
8 |
+ |
|
9 |
+SVN blame output seems to always have at least one space between the |
|
10 |
+revision number and the user name, so the ambiguity can be fixed by |
|
11 |
+changing the `*` to `+`. |
|
12 |
+ |
|
13 |
+Fixes #256. |
|
14 |
+--- |
|
15 |
+ py/_path/svnwc.py | 2 +- |
|
16 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py |
|
19 |
+index 3138dd85..b5b9d8d5 100644 |
|
20 |
+--- a/py/_path/svnwc.py |
|
21 |
+@@ -396,7 +396,7 @@ def makecmdoptions(self): |
|
22 |
+ def __str__(self): |
|
23 |
+ return "<SvnAuth username=%s ...>" %(self.username,) |
|
24 |
+ |
|
25 |
+-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)') |
|
26 |
++rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') |
|
27 |
+ |
|
28 |
+ class SvnWCCommandPath(common.PathBase): |
|
29 |
+ """ path implementation offering access/modification to svn working copies. |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
|
3 | 3 |
Name: python3-py |
4 | 4 |
Version: 1.9.0 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
Summary: Python development support library |
7 | 7 |
License: MIT |
8 | 8 |
Group: Development/Languages/Python |
... | ... |
@@ -12,6 +12,7 @@ Distribution: Photon |
12 | 12 |
Source0: https://pypi.python.org/packages/53/72/6c6f1e787d9cab2cc733cf042f125abec07209a58308831c9f292504e826/py-%{version}.tar.gz |
13 | 13 |
%define sha1 py=8cbe522347596ffc292fd9b1ceaa4564a551ac76 |
14 | 14 |
|
15 |
+Patch0: python-py-CVE-2020-29651.patch |
|
15 | 16 |
BuildRequires: python3 |
16 | 17 |
BuildRequires: python3-devel |
17 | 18 |
BuildRequires: python3-setuptools |
... | ... |
@@ -34,6 +35,7 @@ py.code: dynamic code generation and introspection |
34 | 34 |
|
35 | 35 |
%prep |
36 | 36 |
%setup -n py-%{version} |
37 |
+%patch0 -p1 |
|
37 | 38 |
|
38 | 39 |
%build |
39 | 40 |
python3 setup.py build |
... | ... |
@@ -50,6 +52,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} |
50 | 50 |
%{python3_sitelib}/* |
51 | 51 |
|
52 | 52 |
%changelog |
53 |
+* Mon Jun 21 2021 Dweep Advani <dadvani@vmware.com> 1.9.0-2 |
|
54 |
+- Patched for CVE-2020-29651 |
|
53 | 55 |
* Tue Jul 28 2020 Tapas Kundu <tkundu@vmware.com> 1.9.0-1 |
54 | 56 |
- Updated to version 1.9.0 |
55 | 57 |
* Tue Jun 16 2020 Tapas Kundu <tkundu@vmware.com> 1.6.0-2 |