Address CVE-2023-26112 ReDoS #236
Conversation
|
My proposed fix is inspired by this link (being more precise to mitigate catastrophic backtracking): https://www.regular-expressions.info/catastrophic.html |
|
@MichaelHipp @robdennis @EliAndrewC @untitaker |
|
I do not have access to this repo
…On Wed, Aug 30, 2023, at 13:00, Jean-Baptiste VESLIN wrote:
@MichaelHipp <https://github.com/MichaelHipp> @robdennis <https://github.com/robdennis> @EliAndrewC <https://github.com/EliAndrewC> @untitaker <https://github.com/untitaker>
Is there any maintener available to review this PR please ?
#232 <#232> should be fixed in a new release...
—
Reply to this email directly, view it on GitHub <#236 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGMPRORADQSOSEA5KTSH7LXX4MODANCNFSM6AAAAAAYE5M72E>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@robdennis is it possible to merge this PR? |
|
Could someone review this pr and merge it ASAP? It is a security hole fix.. |
|
Bumping once more, this is affecting a lot of projects. |
|
@MichaelHipp @robdennis @EliAndrewC @untitaker Is there any roadmap on a release with this merged? It's been over a year and it's a reported vulnerability at NIST. |
|
@frank-hopkin-accrisoft my answer is the same as last year. I am not a maintainer of this repository, and most of the people you are mentioning are neither. |
Thank you for the reply, I admittedly blindly copied someone else's mentions. |
|
I recently got access to the repo and have been meaning to look at this, hopefully will actually manage in the next two weeks. |
- Add a patch to fix Regular Expression Denial of Service. It is an unofficial patch [1], but it has already been applied by other projects such as Debian or Fedora [2]. - Bump PORTREVISION Reference: DiffSK/configobj#236 [1] Reference: https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2] Reference: https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2] Security: CVE-2023-26112
- Add a patch to fix Regular Expression Denial of Service. It is an unofficial patch [1], but it has already been applied by other projects such as Debian or Fedora [2]. - Bump PORTREVISION Reference: DiffSK/configobj#236 [1] Reference: https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2] Reference: https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2] Security: CVE-2023-26112
- Add a patch to fix Regular Expression Denial of Service. It is an unofficial patch [1], but it has already been applied by other projects such as Debian or Fedora [2]. - Bump PORTREVISION Reference: DiffSK/configobj#236 [1] Reference: https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2] Reference: https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2] Security: CVE-2023-26112
|
Hi. Any news on this fix? Greatly appreciated! |
This PR would close #232 . I added a test based on the example provided.