summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'dev-python/future')
-rw-r--r--dev-python/future/files/future-0.18.2-cve-2022-40899.patch52
-rw-r--r--dev-python/future/future-0.18.2-r3.ebuild (renamed from dev-python/future/future-0.18.2-r2.ebuild)11
2 files changed, 61 insertions, 2 deletions
diff --git a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch
new file mode 100644
index 000000000000..c7341e0d6fdb
--- /dev/null
+++ b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch
@@ -0,0 +1,52 @@
+From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001
+From: Will Shanks <wshaos@posteo.net>
+Date: Fri, 23 Dec 2022 13:38:26 -0500
+Subject: [PATCH] Backport fix for bpo-38804
+
+The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
+expression denial of service (REDoS). The regex contained multiple
+overlapping \s* capture groups. A long sequence of spaces can trigger
+bad performance.
+
+See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
+---
+ src/future/backports/http/cookiejar.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py
+index af3ef415..0ad80a02 100644
+--- a/src/future/backports/http/cookiejar.py
++++ b/src/future/backports/http/cookiejar.py
+@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz):
+ (?::(\d\d))? # optional seconds
+ )? # optional clock
+ \s*
+- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
++ (?:
++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
++ \s*
++ )?
++ (?:
++ \(\w+\) # ASCII representation of timezone in parens.
+ \s*
+- (?:\(\w+\))? # ASCII representation of timezone in parens.
+- \s*$""", re.X | re.ASCII)
++ )?$""", re.X | re.ASCII)
+ def http2time(text):
+ """Returns time in seconds since epoch of time represented by a string.
+
+@@ -298,9 +302,11 @@ def http2time(text):
+ (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional)
+ )? # optional clock
+ \s*
+- ([-+]?\d\d?:?(:?\d\d)?
+- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT)
+- \s*$""", re.X | re. ASCII)
++ (?:
++ ([-+]?\d\d?:?(:?\d\d)?
++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT)
++ \s*
++ )?$""", re.X | re. ASCII)
+ def iso2time(text):
+ """
+ As for http2time, but parses the ISO 8601 formats:
diff --git a/dev-python/future/future-0.18.2-r2.ebuild b/dev-python/future/future-0.18.2-r3.ebuild
index 1558c0ea92ce..a05bf7f207d5 100644
--- a/dev-python/future/future-0.18.2-r2.ebuild
+++ b/dev-python/future/future-0.18.2-r3.ebuild
@@ -5,10 +5,15 @@ EAPI=8
DISTUTILS_USE_PEP517=setuptools
PYTHON_COMPAT=( python3_{8..11} pypy3 )
+
inherit distutils-r1
DESCRIPTION="Easy, clean, reliable Python 2/3 compatibility"
-HOMEPAGE="https://python-future.org/"
+HOMEPAGE="
+ https://python-future.org/
+ https://github.com/PythonCharmers/python-future/
+ https://pypi.org/project/future/
+"
SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
LICENSE="MIT"
@@ -20,7 +25,8 @@ BDEPEND="
$(python_gen_cond_dep '
dev-python/numpy[${PYTHON_USEDEP}]
' 'python*')
- )"
+ )
+"
distutils_enable_tests pytest
distutils_enable_sphinx docs dev-python/sphinx-bootstrap-theme
@@ -30,6 +36,7 @@ PATCHES=(
"${FILESDIR}"/${P}-py39.patch
"${FILESDIR}"/${P}-py39-fileurl.patch
"${FILESDIR}"/${P}-py3.10.patch
+ "${FILESDIR}"/${P}-cve-2022-40899.patch
)
EPYTEST_DESELECT=(