Issue 46474: Inefficient regular expression complexity in EntryPoint.pattern
Created on 2022-01-22 19:18 by jaraco, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 30802 | merged | jaraco, 2022-01-22 19:46 | |
| PR 30803 | merged | jaraco, 2022-01-22 19:49 | |
| PR 30827 | merged | jaraco, 2022-01-23 13:08 | |
| PR 30828 | merged | jaraco, 2022-01-23 13:10 | |
| PR 30829 | merged | jaraco, 2022-01-23 13:12 | |
| Messages (7) | |||
|---|---|---|---|
| msg411282 - (view) | Author: Jason R. Coombs (jaraco) *  |
Date: 2022-01-22 19:18 | |
Originally reported to the Python Security Response Team, the EntryPoint.pattern demonstrates a potential [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_). The issue has been patched and fix released with importlib_metadata 4.10.1. Let's get that fix incorporated into Python as well. |
|||
| msg411286 - (view) | Author: Jason R. Coombs (jaraco) * |
Date: 2022-01-22 19:41 | |
Because I want this security issue to be back-portable to older Pythons, I'll first apply importlib_metadata 4.10.0 and then apply the change from 4.10.1 separately. |
|||
| msg411335 - (view) | Author: Jason R. Coombs (jaraco) * |
Date: 2022-01-23 02:39 | |
New changeset 443dec6c9a104386ee90165d32fb28d0c5d29043 by Jason R. Coombs in branch 'main': bpo-46474: Apply changes from importlib_metadata 4.10.0 (GH-30802) https://github.com/python/cpython/commit/443dec6c9a104386ee90165d32fb28d0c5d29043 |
|||
| msg411340 - (view) | Author: Jason R. Coombs (jaraco) * |
Date: 2022-01-23 04:00 | |
New changeset 51c3e28c8a163e58dc753765e3cc51d5a717e70d by Jason R. Coombs in branch 'main': bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803) https://github.com/python/cpython/commit/51c3e28c8a163e58dc753765e3cc51d5a717e70d |
|||
| msg411377 - (view) | Author: Jason R. Coombs (jaraco) * |
Date: 2022-01-23 15:17 | |
New changeset a7a4ca4f06c8c31d7f403113702ad2e80bfc326b by Jason R. Coombs in branch '3.10': [3.10] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803) (GH-30827) https://github.com/python/cpython/commit/a7a4ca4f06c8c31d7f403113702ad2e80bfc326b |
|||
| msg411378 - (view) | Author: Jason R. Coombs (jaraco) * |
Date: 2022-01-23 15:17 | |
New changeset 1514d1252f96e6a83eb65c439522a6b5443f6a1a by Jason R. Coombs in branch '3.9': [3.9] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (GH-30828) https://github.com/python/cpython/commit/1514d1252f96e6a83eb65c439522a6b5443f6a1a |
|||
| msg413240 - (view) | Author: Łukasz Langa (lukasz.langa) * |
Date: 2022-02-14 17:56 | |
New changeset 8a84aef0123bd8c13cf81fbc3b5f6d45f96c2656 by Jason R. Coombs in branch '3.8': [3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (#30829) https://github.com/python/cpython/commit/8a84aef0123bd8c13cf81fbc3b5f6d45f96c2656 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:55 | admin | set | github: 90632 |
| 2022-02-14 17:56:17 | lukasz.langa | set | nosy:
+ lukasz.langa messages: + msg413240 |
| 2022-01-23 15:19:20 | jaraco | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2022-01-23 15:17:45 | jaraco | set | messages: + msg411378 |
| 2022-01-23 15:17:34 | jaraco | set | messages: + msg411377 |
| 2022-01-23 13:12:11 | jaraco | set | pull_requests: + pull_request29016 |
| 2022-01-23 13:10:44 | jaraco | set | pull_requests: + pull_request29015 |
| 2022-01-23 13:08:08 | jaraco | set | pull_requests: + pull_request29014 |
| 2022-01-23 04:00:45 | jaraco | set | messages: + msg411340 |
| 2022-01-23 02:39:03 | jaraco | set | messages: + msg411335 |
| 2022-01-22 19:49:52 | jaraco | set | pull_requests: + pull_request28989 |
| 2022-01-22 19:46:19 | jaraco | set | keywords:
+ patch stage: patch review pull_requests: + pull_request28987 |
| 2022-01-22 19:41:34 | jaraco | set | messages: + msg411286 |
| 2022-01-22 19:18:51 | jaraco | create | |