900202 – (CVE-2021-29063) <dev-python/mpmath-1.3.0: ReDoS vulnerability in mpmathify

Bug 900202 (CVE-2021-29063) - <dev-python/mpmath-1.3.0: ReDoS vulnerability in mpmathify

Summary: <dev-python/mpmath-1.3.0: ReDoS vulnerability in mpmathify

Status:	RESOLVED FIXED

Alias:	CVE-2021-29063

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	900765
Blocks:
	Show dependency tree

Reported:	2023-03-07 16:57 UTC by Sam James
Modified:	2023-04-16 19:39 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-03-07 16:57:48 UTC

From 1.3.0 release notes:
"""
Security issues:

    Fixed ReDOS vulnerability in mpmathify() (CVE-2021-29063) (Vinzent Steinberg)
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-03-07 16:58:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22cecdc3bf96930e5f433b7219e0db338fd7a43a

commit 22cecdc3bf96930e5f433b7219e0db338fd7a43a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-03-07 16:57:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-07 16:58:20 +0000

    dev-python/mpmath: add 1.3.0
    
    Bug: https://bugs.gentoo.org/900202
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/mpmath/Manifest            |  1 +
 dev-python/mpmath/mpmath-1.3.0.ebuild | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

Comment 2 Michał Górny archtester

2023-03-11 09:52:32 UTC

cleanup done.

Comment 3 John Helmert III archtester

2023-04-16 19:39:22 UTC

ReDoS -> noglsa. Closing.