devel/py-configobj: Fix security issue CVE-2023-26112

- Add a patch to fix Regular Expression Denial of Service. It is an unofficial patch [1], but it has already been applied by other projects such as Debian or Fedora [2]. - Bump PORTREVISION Reference: https://github.com/DiffSK/configobj/pull/236 [1] Reference: https://salsa.debian.org/python-team/packages/configobj/-/blob/master/debian/patches/CVE-2023-26112?ref_type=heads [2] Reference: https://bodhi.fedoraproject.org/updates/FEDORA-2023-27b41bb133 [2] Security: CVE-2023-26112
2024-12-27 05:10:36 +00:00 · 2024-08-29 10:37:13 +02:00 · 2024-08-29 10:37:13 +02:00 · 9567ab3ffe
commit 9567ab3ffe
parent 889c6b737f
2 changed files with 17 additions and 1 deletions
--- a/devel/py-configobj/Makefile
+++ b/devel/py-configobj/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	configobj
 PORTVERSION=	5.0.8
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
--- a/devel/py-configobj/files/patch-src_configobj_validate.py
+++ b/devel/py-configobj/files/patch-src_configobj_validate.py
@ -0,0 +1,16 @@
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+--- src/configobj/validate.py.orig	2023-01-18 22:28:31 UTC
+++ src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
+    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)