Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:python3-pymatgen User: [email protected] Usertags: pu bsp-2026-05-07-brazil
[ Reason ] Fix ReDoS vulnerability in pymatgen: CVE-2022-42964. [1] [ Impact ] A crafted Gaussian input string can trigger exponential backtracking in GaussianInput.from_string, leading to excessive CPU usage and potential denial of service. [ Tests ] The vulnerable code path was tested with the proposed patch applied. [ Risks ] Low risk. The change is limited to the Gaussian input parser and is a targeted backport of the upstream fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backported upstream patch fixing ReDoS in GaussianInput.from_string. [ Other info ] Testing against the version currently available in bookworm did not reveal any issues. However, while testing with the python3.11 version currently in bookworm-proposed-updates, I observed an autopkgtest failure in a reverse dependency. At this point it is still unclear whether the issue is caused by a regression in python3.11 or by the reverse dependency itself. As part of that investigation, an existing patch in python-emmet-core appears to mitigate the observed failure. If further action is required, a separate bookworm-pu request will be filed for that package. @dparsons has reviewed this backport and will sponsor it.
diff -Nru pymatgen-2022.11.7+dfsg1/debian/changelog pymatgen-2022.11.7+dfsg1/debian/changelog --- pymatgen-2022.11.7+dfsg1/debian/changelog 2024-08-28 10:15:13.000000000 -0300 +++ pymatgen-2022.11.7+dfsg1/debian/changelog 2026-05-27 08:45:16.000000000 -0300 @@ -1,3 +1,12 @@ +pymatgen (2022.11.7+dfsg1-11+deb12u2) bookworm; urgency=medium + + * Team upload. + * d/patches: + - CVE-2022-42964: Import and backport patch (Closes: #1024017) + (Fix exponential ReDoS in GaussianInput.from_string method) + + -- Matheus Polkorny <[email protected]> Wed, 27 May 2026 08:45:16 -0300 + pymatgen (2022.11.7+dfsg1-11+deb12u1) bookworm-security; urgency=medium * CVE-2024-23346 (Closes: #1064514) diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch --- pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch 1969-12-31 21:00:00.000000000 -0300 +++ pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch 2026-05-27 08:45:16.000000000 -0300 @@ -0,0 +1,24 @@ +From: Luis Barroso-Luque <[email protected]> +Date: Tue, 12 Aug 2025 17:03:47 -0700 +Subject: patch ReDOS vulnerability: + https://salsa.debian.org/debichem-team/pymatgen/-/commit/dcba4226dfc59789070bd1f7aa40b953e7722651 + (#4476) + +Origin: upstream, https://github.com/materialsproject/pymatgen/commit/0f5c4af439817a7742dc2d4608357cc252f655f8 +--- + pymatgen/io/gaussian.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pymatgen/io/gaussian.py b/pymatgen/io/gaussian.py +index c17bdbc..76fbae8 100644 +--- a/pymatgen/io/gaussian.py ++++ b/pymatgen/io/gaussian.py +@@ -90,7 +90,7 @@ class GaussianInput: + """ + + # Commonly used regex patterns +- _zmat_patt = re.compile(r"^(\w+)*([\s,]+(\w+)[\s,]+(\w+))*[\-\.\s,\w]*$") ++ _zmat_patt = re.compile(r"^(\w+)([\s,]+(\w+)[\s,]+(\w+)){0,3}[\-\.\s,\w]*$") + _xyz_patt = re.compile(r"^(\w+)[\s,]+([\d\.eE\-]+)[\s,]+([\d\.eE\-]+)[\s,]+" r"([\d\.eE\-]+)[\-\.\s,\w.]*$") + + def __init__( diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/series pymatgen-2022.11.7+dfsg1/debian/patches/series --- pymatgen-2022.11.7+dfsg1/debian/patches/series 2024-08-28 10:15:13.000000000 -0300 +++ pymatgen-2022.11.7+dfsg1/debian/patches/series 2026-05-27 08:45:16.000000000 -0300 @@ -12,3 +12,4 @@ stress_fp_approx_2839.patch no_mp_api.patch CVE-2024-23346.patch +CVE-2022-42964.patch
