Description: "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2)." PR: https://github.com/urllib3/urllib3/pull/1787 Patch: https://github.com/urllib3/urllib3/pull/1787/commits/4ab10abde715c7098e77686462b987586825d228
Let's stabilize it where possible for a start.
An automated check of this bug failed - repoman reported dependency errors (110 lines truncated): > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]'] > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]'] > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
An automated check of this bug failed - repoman reported dependency errors (70 lines truncated): > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: arm(default/linux/arm/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]'] > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]'] > dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: RDEPEND: arm64(default/linux/arm64/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Just for the records: Current stable =dev-python/urllib3-1.24.2 was *not* affected. Vulnerability was introduced with commit https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a (1.25.2).
Arch testers, if urllib3 fails tests due to resolver errors, you can either disable network-sandbox, add 'localhost.' (with a trailing dot) to /etc/hosts or use nss_myhostname. I'm looking how to make it work properly with the default config.
dev-python/requests-2.21.0-r1 requires <urllib3-1.25 and is not part of the stabilization round here. Please handle that via package list or dependent bugs, or skip this stabilization for now per comment #5 and drop the vulnerable ~arch versions instead.
arm stable
a suitable dev-python/requests should be added to the queue, I went for 2.22.0 on my stable arm in the meantime.
amd64 stable
x86 stable
This was also stable for ppc, ppc64, and spare. Are we stabilizing these as well, or are we going to drop them from stable?
requests stabling suitable for this urllib3 here appears to have happened in bug 714490 meanwhile
arm64 stable
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.