diff options
author | Michał Górny <mgorny@gentoo.org> | 2022-12-24 07:33:55 +0100 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2022-12-24 07:40:08 +0100 |
commit | 34253f1de1ae27affcf1f7fc05440506638b9650 (patch) | |
tree | be1fe621994b2bf9cae06c98cbd55c6f802a29d2 /dev-python/future | |
parent | dev-ruby/patron: enable ruby31 (diff) | |
download | gentoo-34253f1de1ae27affcf1f7fc05440506638b9650.tar.gz gentoo-34253f1de1ae27affcf1f7fc05440506638b9650.tar.bz2 gentoo-34253f1de1ae27affcf1f7fc05440506638b9650.zip |
dev-python/future: Patch ReDoS copied from stdlib
Bug: https://bugs.gentoo.org/888109
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'dev-python/future')
-rw-r--r-- | dev-python/future/files/future-0.18.2-cve-2022-40899.patch | 52 | ||||
-rw-r--r-- | dev-python/future/future-0.18.2-r3.ebuild (renamed from dev-python/future/future-0.18.2-r2.ebuild) | 11 |
2 files changed, 61 insertions, 2 deletions
diff --git a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch new file mode 100644 index 000000000000..c7341e0d6fdb --- /dev/null +++ b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch @@ -0,0 +1,52 @@ +From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001 +From: Will Shanks <wshaos@posteo.net> +Date: Fri, 23 Dec 2022 13:38:26 -0500 +Subject: [PATCH] Backport fix for bpo-38804 + +The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular +expression denial of service (REDoS). The regex contained multiple +overlapping \s* capture groups. A long sequence of spaces can trigger +bad performance. + +See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ +--- + src/future/backports/http/cookiejar.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py +index af3ef415..0ad80a02 100644 +--- a/src/future/backports/http/cookiejar.py ++++ b/src/future/backports/http/cookiejar.py +@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): + (?::(\d\d))? # optional seconds + )? # optional clock + \s* +- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone ++ (?: ++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone ++ \s* ++ )? ++ (?: ++ \(\w+\) # ASCII representation of timezone in parens. + \s* +- (?:\(\w+\))? # ASCII representation of timezone in parens. +- \s*$""", re.X | re.ASCII) ++ )?$""", re.X | re.ASCII) + def http2time(text): + """Returns time in seconds since epoch of time represented by a string. + +@@ -298,9 +302,11 @@ def http2time(text): + (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) + )? # optional clock + \s* +- ([-+]?\d\d?:?(:?\d\d)? +- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) +- \s*$""", re.X | re. ASCII) ++ (?: ++ ([-+]?\d\d?:?(:?\d\d)? ++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) ++ \s* ++ )?$""", re.X | re. ASCII) + def iso2time(text): + """ + As for http2time, but parses the ISO 8601 formats: diff --git a/dev-python/future/future-0.18.2-r2.ebuild b/dev-python/future/future-0.18.2-r3.ebuild index 1558c0ea92ce..a05bf7f207d5 100644 --- a/dev-python/future/future-0.18.2-r2.ebuild +++ b/dev-python/future/future-0.18.2-r3.ebuild @@ -5,10 +5,15 @@ EAPI=8 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{8..11} pypy3 ) + inherit distutils-r1 DESCRIPTION="Easy, clean, reliable Python 2/3 compatibility" -HOMEPAGE="https://python-future.org/" +HOMEPAGE=" + https://python-future.org/ + https://github.com/PythonCharmers/python-future/ + https://pypi.org/project/future/ +" SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" LICENSE="MIT" @@ -20,7 +25,8 @@ BDEPEND=" $(python_gen_cond_dep ' dev-python/numpy[${PYTHON_USEDEP}] ' 'python*') - )" + ) +" distutils_enable_tests pytest distutils_enable_sphinx docs dev-python/sphinx-bootstrap-theme @@ -30,6 +36,7 @@ PATCHES=( "${FILESDIR}"/${P}-py39.patch "${FILESDIR}"/${P}-py39-fileurl.patch "${FILESDIR}"/${P}-py3.10.patch + "${FILESDIR}"/${P}-cve-2022-40899.patch ) EPYTEST_DESELECT=( |