From 2e557033bddcd52d5bee404d3cc9cf692fd94887 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 5 Jan 2026 09:32:00 +0100 Subject: python3-configobj: patch CVE-2023-26112 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 Pick the patch that resolves the issue referenced in the NVD report. Signed-off-by: Gyorgy Sarvari --- .../python/python3-configobj/CVE-2023-26112.patch | 25 ++++++++++++++++++++++ .../python/python3-configobj_5.0.6.bb | 3 ++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch (limited to 'meta-python/recipes-devtools') diff --git a/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch new file mode 100644 index 0000000000..35d8ea77cf --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch @@ -0,0 +1,25 @@ +From 76dd27ec0dbde6c852f412390ac4e2cfefa8af76 Mon Sep 17 00:00:00 2001 +From: cdcadman +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: [PATCH] Address CVE-2023-26112 ReDoS + +CVE: CVE-2023-26112 +Upstream-Status: Backport [https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5] +Signed-off-by: Gyorgy Sarvari +--- + validate.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/validate.py b/validate.py +index b7a964c..af76898 100644 +--- a/validate.py ++++ b/validate.py +@@ -542,7 +542,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) diff --git a/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb b/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb index 1125a6389d..589ad6f1d9 100644 --- a/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb +++ b/meta-python/recipes-devtools/python/python3-configobj_5.0.6.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://configobj.py;md5=a7c3968dd866dfd23e91e125b669ab21" PYPI_PACKAGE = "configobj" SRC_URI[sha256sum] = "a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902" -SRC_URI += "file://0001-Switch-from-using-distutils-to-setuptools.patch" +SRC_URI += "file://0001-Switch-from-using-distutils-to-setuptools.patch \ + file://CVE-2023-26112.patch" inherit pypi setuptools3 -- cgit v1.2.3-54-g00ecf