From 362fc370f3f3ec33016b2c163a438ceacf2b3412 Mon Sep 17 00:00:00 2001 From: rdobuilder Date: Oct 15 2021 07:10:42 +0000 Subject: Update to 1.2.1 Related-to: https://review.rdoproject.org/r/q/I3a7713516431a636b8eb4c81b6b8858de022db78 --- diff --git a/.python-mpmath.metadata b/.python-mpmath.metadata index 2427b68..4c49758 100644 --- a/.python-mpmath.metadata +++ b/.python-mpmath.metadata @@ -1 +1 @@ -7376e4a8b8c5a75e736ffc79e9680a93b78c126f SOURCES/python-mpmath-1.2.0.tar.gz +cf99bb46b911490507f9151c00b7b1a81fae381c SOURCES/python-mpmath-1.2.1.tar.gz diff --git a/SOURCES/570.patch b/SOURCES/570.patch new file mode 100644 index 0000000..e3d2c42 --- /dev/null +++ b/SOURCES/570.patch @@ -0,0 +1,70 @@ +From c811b37c65a4372a7ce613111d2a508c204f9833 Mon Sep 17 00:00:00 2001 +From: Vinzent Steinberg +Date: Wed, 10 Feb 2021 16:45:04 +0100 +Subject: [PATCH 1/2] Fix ReDOS vulnerability + +Fixes #548, with the workaround suggested by @yetingli. +--- + mpmath/ctx_mp.py | 4 ++-- + mpmath/tests/test_convert.py | 10 ++++++++++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/mpmath/ctx_mp.py b/mpmath/ctx_mp.py +index 39fc9411..93594dd4 100644 +--- a/mpmath/ctx_mp.py ++++ b/mpmath/ctx_mp.py +@@ -42,8 +42,8 @@ + + new = object.__new__ + +-get_complex = re.compile(r'^\(?(?P[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?)??' +- r'(?P[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?j)?\)?$') ++get_complex = re.compile(r'^\(?(?P[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?)??' ++ r'(?P[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?j)?\)?$') + + if BACKEND == 'sage': + from sage.libs.mpmath.ext_main import Context as BaseMPContext +diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py +index 3e2f5559..cf1a91da 100644 +--- a/mpmath/tests/test_convert.py ++++ b/mpmath/tests/test_convert.py +@@ -194,6 +194,16 @@ def test_mpmathify(): + assert mpmathify('(1.2e-10 - 3.4e5j)') == mpc('1.2e-10', '-3.4e5') + assert mpmathify('1j') == mpc(1j) + ++def test_issue548(): ++ try: ++ # This expression is invalid, but may trigger the ReDOS vulnerability ++ # in the regular expression. ++ mpmathify('(' + '1' * 5000 + '!j') ++ except: ++ return ++ # The expression is invalid and should raise an exception. ++ assert False ++ + def test_compatibility(): + try: + import numpy as np + +From 2865c7d12b2a077d420427ad187eca831a48bff4 Mon Sep 17 00:00:00 2001 +From: Vinzent Steinberg +Date: Wed, 10 Feb 2021 16:47:57 +0100 +Subject: [PATCH 2/2] Improve comment + +--- + mpmath/tests/test_convert.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py +index cf1a91da..cb1db5b5 100644 +--- a/mpmath/tests/test_convert.py ++++ b/mpmath/tests/test_convert.py +@@ -197,7 +197,7 @@ def test_mpmathify(): + def test_issue548(): + try: + # This expression is invalid, but may trigger the ReDOS vulnerability +- # in the regular expression. ++ # in the regular expression for parsing complex numbers. + mpmathify('(' + '1' * 5000 + '!j') + except: + return diff --git a/SPECS/python-mpmath.spec b/SPECS/python-mpmath.spec index f1b3d59..89c2144 100644 --- a/SPECS/python-mpmath.spec +++ b/SPECS/python-mpmath.spec @@ -1,6 +1,15 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.2.5) +%define autorelease(e:s:pb:) %{?-p:0.}%{lua: + release_number = 2; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{?dist} +## END: Set by rpmautospec + Name: python-mpmath -Version: 1.2.0 -Release: 1%{?dist} +Version: 1.2.1 +Release: %autorelease Summary: A pure Python library for multiprecision floating-point arithmetic License: BSD URL: https://mpmath.org @@ -10,6 +19,9 @@ Source0: https://github.com/fredrik-johansson/mpmath/archive/%{version}/% # Switch to 'traditional' theme in RHEL since 'classic' isn't available Patch0: python-mpmath-1.0.0-sphinx.patch +# #1974835 - CVE-2021-29063 python-mpmath: Regular expression denial of service in the mpmathify function +Patch1: 570.patch + BuildRequires: python3-devel BuildRequires: python3-pip BuildRequires: python3-setuptools @@ -62,6 +74,7 @@ This package contains the HTML documentation for %{name}. %if 0%{?rhel} == 6 || 0%{?rhel} == 7 %patch0 -p1 -b .sphinx %endif +%patch1 -p1 # Convert line encodings for doc in CHANGES LICENSE README.rst TODO mpmath/tests/runtests.py; do @@ -105,6 +118,18 @@ xvfb-run -a pytest-3 -v %doc doc/build/* %changelog +* Wed Sep 29 2021 Zbigniew Jędrzejewski-Szmek 1.2.1-2 +- Fix CVE-2021-29063 regular expression denial of service (#1974835) + +* Wed Sep 29 2021 Zbigniew Jędrzejewski-Szmek 1.2.1-1 +- Version 1.2.1 (#1927057) + +* Fri Jul 23 2021 Fedora Release Engineering - 1.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 1.2.0-2 +- Rebuilt for Python 3.10 + * Tue Feb 2 2021 Zbigniew Jędrzejewski-Szmek - 1.2.0-1 - Update to latest version (#1923815) @@ -252,3 +277,4 @@ xvfb-run -a pytest-3 -v * Wed Sep 23 2009 Jussi Lehtola - 0.13-1 - First release. +