rpms / python-mpmath

Clone
Source Code
GIT

Blame SOURCES/570.patch

c10s-sig-cloud-openstack-epoxy c9s-sig-cloud-openstack-bobcat c9s-sig-cloud-openstack-xena
  1.   c9s-sig-cloud-openstack-xena
  2.   SOURCES
  3.   570.patch
Blob History Raw
rdobuilder 362fc3 
From c811b37c65a4372a7ce613111d2a508c204f9833 Mon Sep 17 00:00:00 2001
rdobuilder 362fc3 
From: Vinzent Steinberg <Vinzent.Steinberg@gmail.com>
rdobuilder 362fc3 
Date: Wed, 10 Feb 2021 16:45:04 +0100
rdobuilder 362fc3 
Subject: [PATCH 1/2] Fix ReDOS vulnerability
rdobuilder 362fc3
rdobuilder 362fc3 
Fixes #548, with the workaround suggested by @yetingli.
rdobuilder 362fc3 
---
rdobuilder 362fc3 
 mpmath/ctx_mp.py             |  4 ++--
rdobuilder 362fc3 
 mpmath/tests/test_convert.py | 10 ++++++++++
rdobuilder 362fc3 
 2 files changed, 12 insertions(+), 2 deletions(-)
rdobuilder 362fc3
rdobuilder 362fc3 
diff --git a/mpmath/ctx_mp.py b/mpmath/ctx_mp.py
rdobuilder 362fc3 
index 39fc9411..93594dd4 100644
rdobuilder 362fc3 
--- a/mpmath/ctx_mp.py
rdobuilder 362fc3 
+++ b/mpmath/ctx_mp.py
rdobuilder 362fc3 
@@ -42,8 +42,8 @@
rdobuilder 362fc3
rdobuilder 362fc3 
 new = object.__new__
rdobuilder 362fc3
rdobuilder 362fc3 
-get_complex = re.compile(r'^\(?(?P<re>[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?)??'
rdobuilder 362fc3 
-                         r'(?P<im>[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?j)?\)?$')
rdobuilder 362fc3 
+get_complex = re.compile(r'^\(?(?P<re>[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?)??'
rdobuilder 362fc3 
+                         r'(?P<im>[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?j)?\)?$')
rdobuilder 362fc3
rdobuilder 362fc3 
 if BACKEND == 'sage':
rdobuilder 362fc3 
     from sage.libs.mpmath.ext_main import Context as BaseMPContext
rdobuilder 362fc3 
diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py
rdobuilder 362fc3 
index 3e2f5559..cf1a91da 100644
rdobuilder 362fc3 
--- a/mpmath/tests/test_convert.py
rdobuilder 362fc3 
+++ b/mpmath/tests/test_convert.py
rdobuilder 362fc3 
@@ -194,6 +194,16 @@ def test_mpmathify():
rdobuilder 362fc3 
     assert mpmathify('(1.2e-10 - 3.4e5j)') == mpc('1.2e-10', '-3.4e5')
rdobuilder 362fc3 
     assert mpmathify('1j') == mpc(1j)
rdobuilder 362fc3
rdobuilder 362fc3 
+def test_issue548():
rdobuilder 362fc3 
+    try:
rdobuilder 362fc3 
+        # This expression is invalid, but may trigger the ReDOS vulnerability
rdobuilder 362fc3 
+        # in the regular expression.
rdobuilder 362fc3 
+        mpmathify('(' + '1' * 5000 + '!j')
rdobuilder 362fc3 
+    except:
rdobuilder 362fc3 
+        return
rdobuilder 362fc3 
+    # The expression is invalid and should raise an exception.
rdobuilder 362fc3 
+    assert False
rdobuilder 362fc3 
+
rdobuilder 362fc3 
 def test_compatibility():
rdobuilder 362fc3 
     try:
rdobuilder 362fc3 
         import numpy as np
rdobuilder 362fc3
rdobuilder 362fc3 
From 2865c7d12b2a077d420427ad187eca831a48bff4 Mon Sep 17 00:00:00 2001
rdobuilder 362fc3 
From: Vinzent Steinberg <Vinzent.Steinberg@gmail.com>
rdobuilder 362fc3 
Date: Wed, 10 Feb 2021 16:47:57 +0100
rdobuilder 362fc3 
Subject: [PATCH 2/2] Improve comment
rdobuilder 362fc3
rdobuilder 362fc3 
---
rdobuilder 362fc3 
 mpmath/tests/test_convert.py | 2 +-
rdobuilder 362fc3 
 1 file changed, 1 insertion(+), 1 deletion(-)
rdobuilder 362fc3
rdobuilder 362fc3 
diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py
rdobuilder 362fc3 
index cf1a91da..cb1db5b5 100644
rdobuilder 362fc3 
--- a/mpmath/tests/test_convert.py
rdobuilder 362fc3 
+++ b/mpmath/tests/test_convert.py
rdobuilder 362fc3 
@@ -197,7 +197,7 @@ def test_mpmathify():
rdobuilder 362fc3 
 def test_issue548():
rdobuilder 362fc3 
     try:
rdobuilder 362fc3 
         # This expression is invalid, but may trigger the ReDOS vulnerability
rdobuilder 362fc3 
-        # in the regular expression.
rdobuilder 362fc3 
+        # in the regular expression for parsing complex numbers.
rdobuilder 362fc3 
         mpmathify('(' + '1' * 5000 + '!j')
rdobuilder 362fc3 
     except:
rdobuilder 362fc3 
         return

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation