Fix CVE-2020-29651
(cherry picked from commit 2d7c885024fc788a69976a585f0f35e47adf7fce)
This commit is contained in:
houyingchao
openeuler-sync-bot
parent
978fd8c3be
commit
3da5bcab72
31
CVE-2020-29651.patch
Normal file
31
CVE-2020-29651.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001
|
||||
From: Ran Benita <ran@unusedvar.com>
|
||||
Date: Fri, 4 Sep 2020 13:57:26 +0300
|
||||
Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame
|
||||
functionality
|
||||
|
||||
The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject
|
||||
to catastrophic backtracing given a string like `"1" * 5000`.
|
||||
|
||||
SVN blame output seems to always have at least one space between the
|
||||
revision number and the user name, so the ambiguity can be fixed by
|
||||
changing the `*` to `+`.
|
||||
|
||||
Fixes #256.
|
||||
---
|
||||
py/_path/svnwc.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/py-1.5.4/py/_path/svnwc.py b/py-1.5.4/py/_path/svnwc.py
|
||||
index 3138dd85..b5b9d8d5 100644
|
||||
--- a/py-1.5.4/py/_path/svnwc.py
|
||||
+++ b/py-1.5.4/py/_path/svnwc.py
|
||||
@@ -396,7 +396,7 @@ def makecmdoptions(self):
|
||||
def __str__(self):
|
||||
return "<SvnAuth username=%s ...>" %(self.username,)
|
||||
|
||||
-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
|
||||
+rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)')
|
||||
|
||||
class SvnWCCommandPath(common.PathBase):
|
||||
""" path implementation offering access/modification to svn working copies.
|
||||
@ -8,11 +8,12 @@
|
||||
|
||||
Name: python-%{modname}
|
||||
Version: 1.5.4
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: Library with cross-python path, ini-parsing, io, code, log facilities
|
||||
License: MIT and Public Domain
|
||||
URL: http://pylib.readthedocs.io/en/stable/
|
||||
Source: https://files.pythonhosted.org/packages/source/p/%{modname}/%{modnameversion}.tar.gz
|
||||
Patch0: CVE-2020-29651.patch
|
||||
BuildArch: noarch
|
||||
|
||||
%if %{with tests}
|
||||
@ -70,7 +71,7 @@ Obsoletes: platform-python-%{modname} < %{version}-%{release}
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -c -n %{modnameversion}
|
||||
%autosetup -c -n %{modnameversion} -p1
|
||||
|
||||
find %{modnameversion} \
|
||||
-type f -a \( -name '*.py' -o -name 'py.*' \) \
|
||||
@ -133,5 +134,8 @@ popd
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 23 2020 houyingchao <houyingchao@huawei.com> - 1.5.4-5
|
||||
- Fix CVE-2020-29651
|
||||
|
||||
* Tue Dec 10 2019 mengxian <mengxian@huawei.com> - 1.5.4-4
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user