diff options
| author | Liguros - Gitlab CI/CD [develop] <gitlab@liguros.net> | 2020-12-12 12:49:09 +0000 |
|---|---|---|
| committer | Liguros - Gitlab CI/CD [develop] <gitlab@liguros.net> | 2020-12-12 12:49:09 +0000 |
| commit | 8d7804efbd907eec22d8470e8200dcfd3c5bdd93 (patch) | |
| tree | bd9889fb4bcc4925235ffdfa2e3bb64096c5edca /dev-python/py | |
| parent | 3d8bd01b0127a0a6b488b28e2a68b44942a971f4 (diff) | |
| download | baldeagleos-repo-8d7804efbd907eec22d8470e8200dcfd3c5bdd93.tar.gz baldeagleos-repo-8d7804efbd907eec22d8470e8200dcfd3c5bdd93.tar.xz baldeagleos-repo-8d7804efbd907eec22d8470e8200dcfd3c5bdd93.zip | |
Updating liguros repo
Diffstat (limited to 'dev-python/py')
| -rw-r--r-- | dev-python/py/files/py-1.9.0-cve-2020-29651.patch | 31 | ||||
| -rw-r--r-- | dev-python/py/py-1.9.0-r2.ebuild (renamed from dev-python/py/py-1.9.0-r1.ebuild) | 4 |
2 files changed, 35 insertions, 0 deletions
diff --git a/dev-python/py/files/py-1.9.0-cve-2020-29651.patch b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch new file mode 100644 index 000000000000..af89fb14808c --- /dev/null +++ b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch @@ -0,0 +1,31 @@ +From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001 +From: Ran Benita <ran@unusedvar.com> +Date: Fri, 4 Sep 2020 13:57:26 +0300 +Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame + functionality + +The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject +to catastrophic backtracing given a string like `"1" * 5000`. + +SVN blame output seems to always have at least one space between the +revision number and the user name, so the ambiguity can be fixed by +changing the `*` to `+`. + +Fixes #256. +--- + py/_path/svnwc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py +index 3138dd85..b5b9d8d5 100644 +--- a/py/_path/svnwc.py ++++ b/py/_path/svnwc.py +@@ -396,7 +396,7 @@ def makecmdoptions(self): + def __str__(self): + return "<SvnAuth username=%s ...>" %(self.username,) + +-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)') ++rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') + + class SvnWCCommandPath(common.PathBase): + """ path implementation offering access/modification to svn working copies. diff --git a/dev-python/py/py-1.9.0-r1.ebuild b/dev-python/py/py-1.9.0-r2.ebuild index 2c4b7bec6c47..96988edc26ed 100644 --- a/dev-python/py/py-1.9.0-r1.ebuild +++ b/dev-python/py/py-1.9.0-r2.ebuild @@ -14,6 +14,8 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" LICENSE="MIT" SLOT="0" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# This package is unmaintained and keeps being broken periodically. +RESTRICT=test BDEPEND=" dev-python/setuptools_scm[${PYTHON_USEDEP}]" @@ -21,6 +23,8 @@ BDEPEND=" PATCHES=( "${FILESDIR}"/${PN}-1.5.2-skip-apiwarn-pytest31.patch "${FILESDIR}"/${PN}-1.8.0-pytest-4.patch + # https://bugs.gentoo.org/759547 + "${FILESDIR}"/${P}-cve-2020-29651.patch ) distutils_enable_sphinx doc |