-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundled configobj
subject to CVE-2023-26112
#106
Comments
Since Historically, it looks as though |
Unfortunately the |
The larger issue is that we really ought to be using a configuration format like |
configobj is subject to a ReDoS: GHSA-c33w-24p9-8m24
This regex used to parse the config/spec items suffers from catastrophic backtracking:
stpipe/src/stpipe/extern/configobj/validate.py
Line 540 in e82a1f0
This is one useful write-up on the issue: https://www.regular-expressions.info/catastrophic.html
The upstream/bundled project appears abandoned but does have an open PR that appears to fix the offending regex:
DiffSK/configobj#236
Given the level of control necessary to exploit the issue (it seems likely a
Step.spec
could be crafted to exploit it) it seems like a low risk as the step could also just include awhile True
. I haven't thought through what this means for command line options or if a ReDoS in python is limited to one cpu.The text was updated successfully, but these errors were encountered: