Bug#1037079: marked as done (bookworm-pu: configobj/5.0.8-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 4 Jun 2023 21:46:56 +0200
with message-id <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org>
and subject line closing still open unblock requests
has caused the Debian Bug report #1037079,
regarding bookworm-pu: configobj/5.0.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037079
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: configobj/5.0.8-2
• From: Stefano Rivera <stefanor@debian.org>
• Date: Sat, 3 Jun 2023 16:28:41 -0400
• Message-id: <[🔎] 20230603202841.fp53s3x6qmrc4h23@haydn.kardiogramm.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: configobj@packages.debian.org
Control: affects -1 + src:configobj

Please unblock package configobj

[ Reason ]
Resolves a (minor) security issue. The patch only became available
recently.

It resolves a ReDoS attack (regular expression denial of service)
potentially caused by parsing untrusted configuration files.

[ Impact ]
Ship with an outstanding (very minor) security issue.

[ Tests ]
The patch includes a regression test.

The package test suite passes.

[ Risks ]
Trivial change to a regex, which looks reasonable.

The upstream hasn't reviewed it, yet.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock configobj/5.0.8-2

diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog
--- configobj-5.0.8/debian/changelog	2023-01-26 18:57:36.000000000 -0400
+++ configobj-5.0.8/debian/changelog	2023-06-03 16:23:41.000000000 -0400
@@ -1,3 +1,11 @@
+configobj (5.0.8-2) unstable; urgency=medium
+
+  * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
+    attack. (Closes: #1034152)
+  * Clean correctly.
+
+ -- Stefano Rivera <stefanor@debian.org>  Sat, 03 Jun 2023 16:23:41 -0400
+
 configobj (5.0.8-1) unstable; urgency=medium
 
   * New upstream release!
diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean
--- configobj-5.0.8/debian/clean	1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/clean	2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1 @@
+src/configobj.egg-info/*
diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112 configobj-5.0.8/debian/patches/CVE-2023-26112
--- configobj-5.0.8/debian/patches/CVE-2023-26112	1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/patches/CVE-2023-26112	2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1,48 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+---
+ src/configobj/validate.py         |  2 +-
+ src/tests/test_validate_errors.py | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
++++ b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
++++ b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+ 
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+ 
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+     ini.write('[[haha]]')
+     with pytest.raises(NestingError):
+         conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++    value = "aaa"
++    i = 165100
++    attack = '\x00'*i + ')' + '('*i
++    with pytest.raises(VdtUnknownCheckError):
++        val.check(attack, value)
diff -Nru configobj-5.0.8/debian/patches/series configobj-5.0.8/debian/patches/series
--- configobj-5.0.8/debian/patches/series	1969-12-31 20:00:00.000000000 -0400
+++ configobj-5.0.8/debian/patches/series	2023-06-03 16:23:41.000000000 -0400
@@ -0,0 +1 @@
+CVE-2023-26112

--- End Message ---

--- Begin Message ---

• To: 1037072-done@bugs.debian.org, 1037076-done@bugs.debian.org, 1037078-done@bugs.debian.org, 1037079-done@bugs.debian.org, 1037082-done@bugs.debian.org
• Subject: closing still open unblock requests
• From: Paul Gevers <elbrus@debian.org>
• Date: Sun, 4 Jun 2023 21:46:56 +0200
• Message-id: <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org>

Hi,

The unblock requests that I'm closing in this message all came in after the deadline of 2023-05-28 12:00 UTC. We didn't have time to process them before the quiet period that started today.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---