Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inefficient regular expression complexity in EntryPoint.pattern #90632

Closed
jaraco opened this issue Jan 22, 2022 · 7 comments
Closed

Inefficient regular expression complexity in EntryPoint.pattern #90632

jaraco opened this issue Jan 22, 2022 · 7 comments
Assignees
@jaraco
Labels
3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue

Comments

@jaraco
Copy link
Member

jaraco commented Jan 22, 2022

BPO 46474
Nosy @jaraco, @ambv
PRs
  • bpo-46474: sync with importlib_metadata 4.10.0 #30802
  • bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) #30803
  • [3.10] bpo-46474: Avoid REDoS in EntryPoint.pattern (GH-30803) #30827
  • [3.9] bpo-46474: Avoid REDoS in EntryPoint.pattern (GH-30803). #30828
  • [3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (GH-30803). #30829
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/jaraco'
closed_at = <Date 2022-01-23.15:19:20.306>
created_at = <Date 2022-01-22.19:18:51.485>
labels = ['type-security', '3.8', '3.9', '3.10', '3.11', 'library']
title = 'Inefficient regular expression complexity in EntryPoint.pattern'
updated_at = <Date 2022-02-14.17:56:17.259>
user = 'https://github.com/jaraco'

    bugs.python.org fields:

    activity = <Date 2022-02-14.17:56:17.259>
actor = 'lukasz.langa'
assignee = 'jaraco'
closed = True
closed_date = <Date 2022-01-23.15:19:20.306>
closer = 'jaraco'
components = ['Library (Lib)']
creation = <Date 2022-01-22.19:18:51.485>
creator = 'jaraco'
dependencies = []
files = []
hgrepos = []
issue_num = 46474
keywords = ['patch']
message_count = 7.0
messages = ['411282', '411286', '411335', '411340', '411377', '411378', '413240']
nosy_count = 2.0
nosy_names = ['jaraco', 'lukasz.langa']
pr_nums = ['30802', '30803', '30827', '30828', '30829']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46474'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']
    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 22, 2022

    Originally reported to the Python Security Response Team, the EntryPoint.pattern demonstrates a potential ReDoS.

    The issue has been patched and fix released with importlib_metadata 4.10.1. Let's get that fix incorporated into Python as well.

    @jaraco jaraco added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes labels Jan 22, 2022
    @jaraco jaraco self-assigned this Jan 22, 2022
    @jaraco jaraco added 3.8 only security fixes stdlib Python modules in the Lib dir 3.9 only security fixes type-security A security issue 3.10 only security fixes 3.11 only security fixes labels Jan 22, 2022
    @jaraco jaraco self-assigned this Jan 22, 2022
    @jaraco jaraco added stdlib Python modules in the Lib dir type-security A security issue labels Jan 22, 2022
    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 22, 2022

    Because I want this security issue to be back-portable to older Pythons, I'll first apply importlib_metadata 4.10.0 and then apply the change from 4.10.1 separately.

    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 23, 2022

    New changeset 443dec6 by Jason R. Coombs in branch 'main':
    bpo-46474: Apply changes from importlib_metadata 4.10.0 (GH-30802)
    443dec6

    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 23, 2022

    New changeset 51c3e28 by Jason R. Coombs in branch 'main':
    bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803)
    51c3e28

    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 23, 2022

    New changeset a7a4ca4 by Jason R. Coombs in branch '3.10':
    [3.10] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803) (GH-30827)
    a7a4ca4

    @jaraco
    Copy link
    Member Author

    jaraco commented Jan 23, 2022

    New changeset 1514d12 by Jason R. Coombs in branch '3.9':
    [3.9] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (GH-30828)
    1514d12

    @jaraco jaraco closed this as completed Jan 23, 2022
    @jaraco jaraco closed this as completed Jan 23, 2022
    @ambv
    Copy link
    Contributor

    ambv commented Feb 14, 2022

    New changeset 8a84aef by Jason R. Coombs in branch '3.8':
    [3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (bpo-30829)
    8a84aef

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @jaraco jaraco

    Labels
    3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @ambv @jaraco