Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-future for openSUSE:Factory
checked in at 2023-01-06 17:04:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-future (Old)
and /work/SRC/openSUSE:Factory/.python-future.new.1563 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-future"
Fri Jan 6 17:04:23 2023 rev:14 rq:1056169 version:0.18.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-future/python-future.changes
2021-03-17 20:13:33.118792401 +0100
+++ /work/SRC/openSUSE:Factory/.python-future.new.1563/python-future.changes
2023-01-06 17:04:42.627896564 +0100
@@ -1,0 +2,7 @@
+Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Add CVE-2022-40899.patch to fix REDoS in http.cookiejar
+ gh#PythonCharmers/python-future#610
+ bsc#1206673
+
+-------------------------------------------------------------------
New:
----
CVE-2022-40899.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-future.spec ++++++
--- /var/tmp/diff_new_pack.u0LQWk/_old 2023-01-06 17:04:42.999898653 +0100
+++ /var/tmp/diff_new_pack.u0LQWk/_new 2023-01-06 17:04:43.003898676 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-future
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,7 +16,6 @@
#
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-future
Version: 0.18.2
Release: 0
@@ -33,6 +32,8 @@
# PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578
mc...@suse.com
# Overcome incompatibilites with python 3.9
Patch2: python39-build.patch
+# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610
bsc#1206673
+Patch3: CVE-2022-40899.patch
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
@@ -43,7 +44,7 @@
BuildRequires: python3-dbm
%endif
Requires(post): update-alternatives
-Requires(preun):update-alternatives
+Requires(postun):update-alternatives
BuildArch: noarch
%python_subpackages
@@ -71,7 +72,7 @@
%post
%{python_install_alternative futurize pasteurize}
-%preun
+%postun
%python_uninstall_alternative futurize
%check
@@ -86,6 +87,10 @@
%license LICENSE.txt
%python_alternative %{_bindir}/futurize
%python_alternative %{_bindir}/pasteurize
-%{python_sitelib}/*
+%{python_sitelib}/future-%{version}*-info
+%{python_sitelib}/future
+%{python_sitelib}/libfuturize
+%{python_sitelib}/libpasteurize
+%{python_sitelib}/past
%changelog
++++++ CVE-2022-40899.patch ++++++
Index: future-0.16.0/src/future/backports/http/cookiejar.py
===================================================================
--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
+++ future-0.16.0/src/future/backports/http/cookiejar.py
@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
(?::(\d\d))? # optional seconds
)? # optional clock
\s*
- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+ (?:
+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
\s*
- (?:\(\w+\))? # ASCII representation of timezone in parens.
- \s*$""", re.X | re.ASCII)
+ )?
+ (?:
+ \(\w+\) # ASCII representation of timezone in parens.
+ \s*
+ )?$""", re.X | re.ASCII)
def http2time(text):
"""Returns time in seconds since epoch of time represented by a string.
@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
(?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional)
)? # optional clock
\s*
- ([-+]?\d\d?:?(:?\d\d)?
- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT)
- \s*$""", re.X | re. ASCII)
+ (?:
+ ([-+]?\d\d?:?(:?\d\d)?
+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT)
+ \s*
+ )?$""", re.X | re. ASCII)
def iso2time(text):
"""
As for http2time, but parses the ISO 8601 formats:
Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
===================================================================
--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py
@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
"http2time(%s) is not None\n"
"http2time(test) %s" % (test, http2time(test)))
+ def test_http2time_redos_regression_actually_completes(self):
+ # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
+ # catastrophic backtracking (REDoS). If we regress to cubic complexity,
+ # this test will take a very long time to succeed. If fixed, it should
+ # complete within a fraction of a second.
+ http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
+ http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
+
def test_iso2time(self):
def parse_date(text):
return time.gmtime(iso2time(text))[:6]
@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
"iso2time(%s) is not None\n"
"iso2time(test) %s" % (test, iso2time(test)))
+ def test_iso2time_performance_regression(self):
+ # If ISO_DATE_RE regresses to quadratic complexity, this test will take
+ # a very long time to succeed. If fixed, it should complete within a
+ # fraction of a second.
+ iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
+ iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
+
class HeaderTests(unittest.TestCase):
