Skip to content

Address CVE-2023-26112 ReDoS #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jelmer merged 1 commit into from
Sep 17, 2024
Merged

Address CVE-2023-26112 ReDoS #236

jelmer merged 1 commit into from
Sep 17, 2024

Conversation

@cdcadman
Copy link
Contributor

@cdcadman cdcadman commented May 17, 2023

This PR would close #232 . I added a test based on the example provided.

@cdcadman
Copy link
Contributor Author

cdcadman commented May 17, 2023

My proposed fix is inspired by this link (being more precise to mitigate catastrophic backtracking): https://www.regular-expressions.info/catastrophic.html

@cdcadman cdcadman mentioned this pull request May 31, 2023
Closed
@thebaptiste
Copy link

thebaptiste commented Aug 30, 2023

@MichaelHipp @robdennis @EliAndrewC @untitaker
Is there any maintener available to review this PR please ?
#232 should be fixed in a new release...

@untitaker
Copy link
Contributor

untitaker commented Aug 30, 2023 via email

@thebaptiste thebaptiste mentioned this pull request Aug 30, 2023
Closed
@braingram braingram mentioned this pull request Sep 5, 2023
Closed
@vavsab
Copy link

vavsab commented Sep 15, 2023

@robdennis is it possible to merge this PR?

@yewhen
Copy link

yewhen commented Oct 31, 2023

Could someone review this pr and merge it ASAP? It is a security hole fix..

@Deblintrake09 Deblintrake09 mentioned this pull request Jan 3, 2024
Closed
@SimonDR-Boltzmann
Copy link

SimonDR-Boltzmann commented Mar 1, 2024

Bumping once more, this is affecting a lot of projects.

@blakeNaccarato blakeNaccarato mentioned this pull request Jun 14, 2024
Open
2 tasks
@frank-hopkin
Copy link

frank-hopkin commented Aug 8, 2024

@MichaelHipp @robdennis @EliAndrewC @untitaker

Is there any roadmap on a release with this merged? It's been over a year and it's a reported vulnerability at NIST.

#232
https://nvd.nist.gov/vuln/detail/cve-2023-26112

@untitaker
Copy link
Contributor

untitaker commented Aug 8, 2024

@frank-hopkin-accrisoft my answer is the same as last year. I am not a maintainer of this repository, and most of the people you are mentioning are neither.

@frank-hopkin
Copy link

frank-hopkin commented Aug 8, 2024

@frank-hopkin-accrisoft my answer is the same as last year. I am not a maintainer of this repository, and most of the people you are mentioning are neither.

Thank you for the reply, I admittedly blindly copied someone else's mentions.

@jelmer
Copy link
Collaborator

jelmer commented Aug 8, 2024

I recently got access to the repo and have been meaning to look at this, hopefully will actually manage in the next two weeks.

freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this pull request Aug 29, 2024
@nivit
devel/py-configobj: Fix security issue CVE-2023-26112
9567ab3 
- Add a patch to fix Regular Expression Denial of Service.
  It is an unofficial patch [1], but it has already been applied by
  other projects such as Debian or Fedora [2].

- Bump PORTREVISION

Reference:	DiffSK/configobj#236 [1]
Reference:	https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2]
Reference:	https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2]

Security:	CVE-2023-26112
nanorkyo pushed a commit to nanorkyo/freebsd-ports that referenced this pull request Aug 31, 2024
@nivit @nanorkyo
devel/py-configobj: Fix security issue CVE-2023-26112
b074aee 
- Add a patch to fix Regular Expression Denial of Service.
  It is an unofficial patch [1], but it has already been applied by
  other projects such as Debian or Fedora [2].

- Bump PORTREVISION

Reference:	DiffSK/configobj#236 [1]
Reference:	https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2]
Reference:	https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2]

Security:	CVE-2023-26112
nanorkyo pushed a commit to nanorkyo/freebsd-ports that referenced this pull request Aug 31, 2024
@nivit @nanorkyo
devel/py-configobj: Fix security issue CVE-2023-26112
ac4cba3 
- Add a patch to fix Regular Expression Denial of Service.
  It is an unofficial patch [1], but it has already been applied by
  other projects such as Debian or Fedora [2].

- Bump PORTREVISION

Reference:	DiffSK/configobj#236 [1]
Reference:	https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2]
Reference:	https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2]

Security:	CVE-2023-26112
@vpriesgoscol001
Copy link

vpriesgoscol001 commented Sep 10, 2024

Hi. Any news on this fix? Greatly appreciated!

@jelmer jelmer merged commit 7c618b0 into DiffSK:5.0.x Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jelmer jelmer jelmer approved these changes

+1 more reviewer

@alex alex alex approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@cdcadman @thebaptiste @untitaker @vavsab @yewhen @SimonDR-Boltzmann @frank-hopkin @jelmer @vpriesgoscol001 @alex