devel/py-configobj: Fix security issue CVE-2023-26112

- Add a patch to fix Regular Expression Denial of Service. It is an unofficial patch [1], but it has already been applied by other projects such as Debian or Fedora [2]. - Bump PORTREVISION Reference: DiffSK/configobj#236 [1] Reference: https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2] Reference: https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2] Security: CVE-2023-26112
freebsd · Aug 29, 2024 · 9567ab3 · 9567ab3
1 parent 889c6b7
commit 9567ab3
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/devel/py-configobj/Makefile b/devel/py-configobj/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	configobj
 PORTVERSION=	5.0.8
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}

diff --git a/devel/py-configobj/files/patch-src_configobj_validate.py b/devel/py-configobj/files/patch-src_configobj_validate.py
@@ -0,0 +1,16 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+--- src/configobj/validate.py.orig	2023-01-18 22:28:31 UTC
++++ src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)