Fedora has issued an advisory today (January 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/ The issue is fixed upstream in 1.10.0. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 1.10.0
fixed in cauldron and new rpm pushed in mga7 src: python-py-1.8.0-1.1.mga7
CC: (none) => mageiaAssignee: python => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Advisory: ======================== Updated python-py packages fix security vulnerability: A denial of service via regular expression in the py.path.svnwc component of python-py through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality (CVE-2020-29651). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29651 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/ ======================== Updated packages in core/updates_testing: ======================== python2-py-1.8.0-1.1.mga7 python3-py-1.8.0-1.1.mga7 python-py-doc-1.8.0-1.1.mga7 from python-py-1.8.0-1.1.mga7.src.rpm
Status comment: Fixed upstream in 1.10.0 => (none)
*** Bug 28139 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Source RPM: python3-py-1.9.0-1.mga8.src.rpm => python-py-1.8.0-1.mga7.src.rpmCVE: (none) => CVE-2020-29651CC: (none) => ouaurelien
mga7, x86 CVE-2020-29651 https://github.com/pytest-dev/py/issues/256 This page describes an exploit using a regular expression on the string "1"*5000 which precipitates catastrophic backtracking. Not enough detail for the uninitiated so we sahll have to let it go. Updated the three packages. python-py is a development support library. Documentation at file:///usr/share/doc/python-py-doc/html/index.html There are examples of the use of the API in one of the chapters. e.g. $ python2 >>> import py >>> p1 = py.path.local( '/foo/bar' ) >>> p2 = p1.join( 'baz/qux' ) >>> p2 == py.path.local( '/foo/bar/baz/qux' ) True >>> sep = py.path.local.sep >>> p2.join( p2.bestrelpath( p1 ) ) == p1 True >>> p3 = p1 / 'baz/qux' >>> p2 == p3 True >>> p4 = p1 + ".py" >>> p4.basename == "bar.py" True >>> p4.ext == ".py" True >>> p4.purebasename == "bar" True >>> print( p4.purebasename ) bar >>> exit( ) The same instructions supplied to python3 as a script produced the same results. Elementary stuff but as far as we go. Giving this a pass.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory and packages in Comment 2. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0071.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED