diff --git a/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch b/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch new file mode 100644 index 0000000..ba81e9b --- /dev/null +++ b/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch @@ -0,0 +1,87 @@ +From 0969203d36a128f42d7e4025ca29b5dfa74e1a21 Mon Sep 17 00:00:00 2001 +From: Mike Bayer +Date: Mon, 29 Aug 2022 12:28:52 -0400 +Subject: [PATCH] fix tag regexp to match quoted groups correctly + +Fixed issue in lexer where the regexp used to match tags would not +correctly interpret quoted sections individually. While this parsing issue +still produced the same expected tag structure later on, the mis-handling +of quoted sections was also subject to a regexp crash if a tag had a large +number of quotes within its quoted sections. + +Fixes: #366 +Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 +--- + doc/build/unreleased/366.rst | 9 +++++++++ + mako/lexer.py | 12 ++++++++---- + test/test_lexer.py | 4 ++++ + 3 files changed, 21 insertions(+), 4 deletions(-) + create mode 100644 doc/build/unreleased/366.rst + +diff --git a/doc/build/unreleased/366.rst b/doc/build/unreleased/366.rst +new file mode 100644 +index 0000000..27b0278 +--- /dev/null ++++ b/doc/build/unreleased/366.rst +@@ -0,0 +1,9 @@ ++.. change:: ++ :tags: bug, lexer ++ :tickets: 366 ++ ++ Fixed issue in lexer where the regexp used to match tags would not ++ correctly interpret quoted sections individually. While this parsing issue ++ still produced the same expected tag structure later on, the mis-handling ++ of quoted sections was also subject to a regexp crash if a tag had a large ++ number of quotes within its quoted sections. +\ No newline at end of file +diff --git a/mako/lexer.py b/mako/lexer.py +index 6226e26..c8eee6f 100644 +--- a/mako/lexer.py ++++ b/mako/lexer.py +@@ -295,20 +295,24 @@ class Lexer(object): + return self.template + + def match_tag_start(self): +- match = self.match( +- r""" ++ reg = r""" + \<% # opening tag + + ([\w\.\:]+) # keyword + +- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \ ++ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \ + # sign, string expression ++ # comma is for backwards compat ++ # identified in #366 + + \s* # more whitespace + + (/)?> # closing + +- """, ++ """ ++ ++ match = self.match( ++ reg, + re.I | re.S | re.X, + ) + +diff --git a/test/test_lexer.py b/test/test_lexer.py +index 9807961..7d4b146 100644 +--- a/test/test_lexer.py ++++ b/test/test_lexer.py +@@ -146,6 +146,10 @@ class LexerTest(TemplateTest): + """ + self.assertRaises(exceptions.CompileException, Lexer(template).parse) + ++ def test_tag_many_quotes(self): ++ template = "<%0" + '"' * 3000 ++ self.assertRaises(exceptions.SyntaxException, Lexer(template).parse) ++ + def test_unmatched_tag(self): + template = """ + <%namespace name="bar"> +-- +2.38.1 + diff --git a/SPECS/python-mako.spec b/SPECS/python-mako.spec index b860408..370608c 100644 --- a/SPECS/python-mako.spec +++ b/SPECS/python-mako.spec @@ -1,6 +1,6 @@ Name: python-mako Version: 1.1.4 -Release: 5%{?dist} +Release: 6%{?dist} BuildArch: noarch # Mostly MIT, but _ast_util.py is Python licensed. @@ -9,6 +9,8 @@ License: (MIT and Python) and (BSD or GPLv2) Summary: Mako template library for Python URL: http://www.makotemplates.org/ Source0: https://github.com/sqlalchemy/mako/archive/rel_%(echo %{version} | sed "s/\./_/g").tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=2133606 +Patch0: python-mako-1.1.14-CVE-2022-40023.patch BuildRequires: python3-devel BuildRequires: python3-pytest @@ -89,6 +91,9 @@ pytest-3 %changelog +* Thu Nov 17 2022 David King - 1.1.4-6 +- Fix CVE-2022-40023 (#2133606) + * Tue Aug 10 2021 Mohan Boddu - 1.1.4-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688