Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: config...@packages.debian.org Control: affects -1 + src:configobj
Please unblock package configobj [ Reason ] Resolves a (minor) security issue. The patch only became available recently. It resolves a ReDoS attack (regular expression denial of service) potentially caused by parsing untrusted configuration files. [ Impact ] Ship with an outstanding (very minor) security issue. [ Tests ] The patch includes a regression test. The package test suite passes. [ Risks ] Trivial change to a regex, which looks reasonable. The upstream hasn't reviewed it, yet. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock configobj/5.0.8-2
diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog --- configobj-5.0.8/debian/changelog 2023-01-26 18:57:36.000000000 -0400 +++ configobj-5.0.8/debian/changelog 2023-06-03 16:23:41.000000000 -0400 @@ -1,3 +1,11 @@ +configobj (5.0.8-2) unstable; urgency=medium + + * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service + attack. (Closes: #1034152) + * Clean correctly. + + -- Stefano Rivera <stefa...@debian.org> Sat, 03 Jun 2023 16:23:41 -0400 + configobj (5.0.8-1) unstable; urgency=medium * New upstream release! diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean --- configobj-5.0.8/debian/clean 1969-12-31 20:00:00.000000000 -0400 +++ configobj-5.0.8/debian/clean 2023-06-03 16:23:41.000000000 -0400 @@ -0,0 +1 @@ +src/configobj.egg-info/* diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112 configobj-5.0.8/debian/patches/CVE-2023-26112 --- configobj-5.0.8/debian/patches/CVE-2023-26112 1969-12-31 20:00:00.000000000 -0400 +++ configobj-5.0.8/debian/patches/CVE-2023-26112 2023-06-03 16:23:41.000000000 -0400 @@ -0,0 +1,48 @@ +From: cdcadman <mythi...@gmail.com> +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: Address CVE-2023-26112 ReDoS + +Origin: https://github.com/DiffSK/configobj/pull/236 +--- + src/configobj/validate.py | 2 +- + src/tests/test_validate_errors.py | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/configobj/validate.py b/src/configobj/validate.py +index 9267a3f..98d879f 100644 +--- a/src/configobj/validate.py ++++ b/src/configobj/validate.py +@@ -541,7 +541,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) +diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py +index 399daa8..f7d6c27 100644 +--- a/src/tests/test_validate_errors.py ++++ b/src/tests/test_validate_errors.py +@@ -3,7 +3,7 @@ import os + import pytest + + from configobj import ConfigObj, get_extra_values, ParseError, NestingError +-from configobj.validate import Validator ++from configobj.validate import Validator, VdtUnknownCheckError + + @pytest.fixture() + def thisdir(): +@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath): + ini.write('[[haha]]') + with pytest.raises(NestingError): + conf = ConfigObj(str(ini), configspec=specpath, file_error=True) ++ ++ ++def test_re_dos(val): ++ value = "aaa" ++ i = 165100 ++ attack = '\x00'*i + ')' + '('*i ++ with pytest.raises(VdtUnknownCheckError): ++ val.check(attack, value) diff -Nru configobj-5.0.8/debian/patches/series configobj-5.0.8/debian/patches/series --- configobj-5.0.8/debian/patches/series 1969-12-31 20:00:00.000000000 -0400 +++ configobj-5.0.8/debian/patches/series 2023-06-03 16:23:41.000000000 -0400 @@ -0,0 +1 @@ +CVE-2023-26112
