Fedora has issued an advisory today (January 5):
The issue is fixed upstream in 1.10.0.
Mageia 7 is also affected.
Fixed upstream in 1.10.0
fixed in cauldron and new rpm pushed in mga7
Updated python-py packages fix security vulnerability:
A denial of service via regular expression in the py.path.svnwc component of
python-py through 1.9.0 could be used by attackers to cause a compute-time
denial of service attack by supplying malicious input to the blame
Updated packages in core/updates_testing:
Fixed upstream in 1.10.0 =>
*** Bug 28139 has been marked as a duplicate of this bug. ***
This page describes an exploit using a regular expression on the string "1"*5000 which precipitates catastrophic backtracking.
Not enough detail for the uninitiated so we sahll have to let it go.
Updated the three packages.
python-py is a development support library.
Documentation at file:///usr/share/doc/python-py-doc/html/index.html
There are examples of the use of the API in one of the chapters. e.g.
>>> import py
>>> p1 = py.path.local( '/foo/bar' )
>>> p2 = p1.join( 'baz/qux' )
>>> p2 == py.path.local( '/foo/bar/baz/qux' )
>>> sep = py.path.local.sep
>>> p2.join( p2.bestrelpath( p1 ) ) == p1
>>> p3 = p1 / 'baz/qux'
>>> p2 == p3
>>> p4 = p1 + ".py"
>>> p4.basename == "bar.py"
>>> p4.ext == ".py"
>>> p4.purebasename == "bar"
>>> print( p4.purebasename )
>>> exit( )
The same instructions supplied to python3 as a script produced the same results.
Elementary stuff but as far as we go. Giving this a pass.
Validating. Advisory and packages in Comment 2.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.