Bug#1037079: unblock: configobj/5.0.8-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: configobj@packages.debian.org
Control: affects -1 + src:configobj
Please unblock package configobj
[ Reason ]
Resolves a (minor) security issue. The patch only became available
recently.
It resolves a ReDoS attack (regular expression denial of service)
potentially caused by parsing untrusted configuration files.
[ Impact ]
Ship with an outstanding (very minor) security issue.
[ Tests ]
The patch includes a regression test.
The package test suite passes.
[ Risks ]
Trivial change to a regex, which looks reasonable.
The upstream hasn't reviewed it, yet.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock configobj/5.0.8-2
diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog
--- configobj-5.0.8/debian/changelog 2023-01-26 18:57:36.000000000 -0400
+++ configobj-5.0.8/debian/changelog 2023-06-03 16:23:41.000000000 -0400
@@ -1,3 +1,11 @@
+configobj (5.0.8-2) unstable; urgency=medium
+
+ * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
+ attack. (Closes: #1034152)
+ * Clean correctly.
+
+ -- Stefano Rivera <stefanor@debian.org> Sat, 03 Jun 2023 16:23:41 -0400
+
configobj (5.0.8-1) unstable; urgency=medium
* New upstream release!
diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean
--- configobj-5.0.8/debian/clean 1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/clean 2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1 @@
+src/configobj.egg-info/*
diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112 configobj-5.0.8/debian/patches/CVE-2023-26112
--- configobj-5.0.8/debian/patches/CVE-2023-26112 1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/patches/CVE-2023-26112 2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1,48 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+---
+ src/configobj/validate.py | 2 +-
+ src/tests/test_validate_errors.py | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
++++ b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+ """
+
+ # this regex does the initial parsing of the checks
+- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+
+ # this regex takes apart keyword arguments
+ _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
++++ b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+ ini.write('[[haha]]')
+ with pytest.raises(NestingError):
+ conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++ value = "aaa"
++ i = 165100
++ attack = '\x00'*i + ')' + '('*i
++ with pytest.raises(VdtUnknownCheckError):
++ val.check(attack, value)
diff -Nru configobj-5.0.8/debian/patches/series configobj-5.0.8/debian/patches/series
--- configobj-5.0.8/debian/patches/series 1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/patches/series 2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1 @@
+CVE-2023-26112
Reply to: