Bug 1906451 (CVE-2020-29651)

Summary: CVE-2020-29651 python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionality
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmontgom, eparis, hbrock, jburrell, jjoyce, jokerman, jschluet, jslagle, lhh, lpeer, mburns, mrunge, nstielau, python-maint, sclewis, slinaber, sponnaga, thomas.moschny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-py 1.10.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 11:00:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1906453, 1906892, 1910397, 1910398, 1910655, 1914836, 1914838, 1914839    
Bug Blocks: 1906454    

Description Guilherme de Almeida Suckevicz 2020-12-10 14:48:23 UTC 
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Reference:
https://github.com/pytest-dev/py/issues/256

Upstream patch:
https://github.com/pytest-dev/py/pull/257
Comment 1 Guilherme de Almeida Suckevicz 2020-12-10 14:50:11 UTC 
Created python-py tracking bugs for this issue:

Affects: fedora-all [bug 1906453]
Comment 3 Przemyslaw Roguski 2020-12-11 17:06:37 UTC 
External References:

https://github.com/pytest-dev/py/issues/256
Comment 4 Przemyslaw Roguski 2020-12-11 17:15:52 UTC 
Upstream fixed version is not released yet, but the patch is already merged with master branch:
https://github.com/pytest-dev/py/pull/257/commits/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144
Comment 6 Przemyslaw Roguski 2020-12-18 10:30:28 UTC 
Upstream PR:
https://github.com/earthgecko/skyline/pull/381
Comment 11 Nick Tait 2021-02-04 22:21:59 UTC 
Statement:

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-py package.