[Bug 1215274] New: python-python-rpm-spec: DoS on carefully crafted RPM spec files
https://bugzilla.suse.com/show_bug.cgi?id=1215274 Bug ID: 1215274 Summary: python-python-rpm-spec: DoS on carefully crafted RPM spec files Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Python Assignee: python-maintainers@suse.com Reporter: martin.schreiner@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 869468 --> https://bugzilla.suse.com/attachment.cgi?id=869468&action=edit patch file fixing the issue Currently, it's possible to trick replace_macros() to never return, causing a DoS to software using this library with carefully crafted spec files. The offending code in replace_macros() may be found here: https://github.com/bkircher/python-rpm-spec/blob/ef0f2daa77d49480446423abefe... Upstream issue, reported by David Anes, who also contributed the patch we're submitting: https://github.com/bkircher/python-rpm-spec/issues/61 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215274 Martin Schreiner <martin.schreiner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david.anes@suse.com, | |martin.schreiner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215274 https://bugzilla.suse.com/show_bug.cgi?id=1215274#c1 Markéta Machová <mmachova@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mmachova@suse.com --- Comment #1 from Markéta Machová <mmachova@suse.com> --- Fixed in Factory with https://build.opensuse.org/request/show/1111023 (thanks!). Does this affect also the version in Leap? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215274 https://bugzilla.suse.com/show_bug.cgi?id=1215274#c2 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mcepl@suse.com --- Comment #2 from Matej Cepl <mcepl@suse.com> --- (In reply to Markéta Machová from comment #1)
Does this affect also the version in Leap?
It doesn’t seem to be outside of Factory at all: $ isc se -V python-python-rpm-spec No matches found for 'python-python-rpm-spec' in projects #################################################################### matches for 'python-python-rpm-spec' in packages: # Project # Package # Ver Rev Srcmd5 SUSE:Factory:Head python-python-rpm-spec 0.14.1 6 f7b82e06eaa8d47edc8030a73e627249 $ -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com