Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877455 (CVE-2022-42969)

Summary: dev-python/py: ReDoS via subversion repository with crafted info
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/pytest-dev/py/issues/287
Whiteboard: B3 [upstream noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:45:01 UTC 
CVE-2022-42969:

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

No GLSA. Upstream says, "I doubt there's anyone using this code, so I
don't think it would warrant any sort of security notification that
users should bother with, but if you prepare a PR for this I'll merge
& release it."