Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 759547 (CVE-2020-29651) - <dev-python/py-1.9.0-r2: Denial of service in vcs 'blame' component (CVE-2020-29651)
Summary: <dev-python/py-1.9.0-r2: Denial of service in vcs 'blame' component (CVE-2020...
Status: RESOLVED FIXED
Alias: CVE-2020-29651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/pytest-dev/py/issu...
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-12 03:33 UTC by Sam James
Modified: 2021-01-25 23:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-12 03:33:13 UTC
Description:
"A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality."
Comment 1 Larry the Git Cow gentoo-dev 2020-12-12 09:09:44 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cda063145cccc62b96bc09f2b423e449d6dc134a

commit cda063145cccc62b96bc09f2b423e449d6dc134a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-12 08:41:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-12 09:09:38 +0000

    dev-python/py: Backport CVE-2020-29651 fix
    
    Closes: https://bugs.gentoo.org/759547
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/py/files/py-1.9.0-cve-2020-29651.patch  | 31 ++++++++++++++++++++++
 .../py/{py-1.9.0-r1.ebuild => py-1.9.0-r2.ebuild}  |  4 +++
 2 files changed, 35 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-12 09:11:35 UTC
Sorry about that.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 07:06:42 UTC
Thank you!