Bug 1906451 (CVE-2020-29651)

Summary: CVE-2020-29651 python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionality
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmontgom, eparis, hbrock, jburrell, jjoyce, jokerman, jschluet, jslagle, lhh, lpeer, mburns, mrunge, nstielau, python-maint, sclewis, slinaber, sponnaga, thomas.moschny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: python-py 1.10.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 11:00:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1906453, 1906892, 1910397, 1910398, 1910655, 1914836, 1914838, 1914839    
Bug Blocks: 1906454    

Description Guilherme de Almeida Suckevicz 2020-12-10 14:48:23 UTC
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2020-12-10 14:50:11 UTC
Created python-py tracking bugs for this issue:

Affects: fedora-all [bug 1906453]

Comment 3 Przemyslaw Roguski 2020-12-11 17:06:37 UTC
External References:


Comment 4 Przemyslaw Roguski 2020-12-11 17:15:52 UTC
Upstream fixed version is not released yet, but the patch is already merged with master branch:

Comment 6 Przemyslaw Roguski 2020-12-18 10:30:28 UTC
Upstream PR:

Comment 11 Nick Tait 2021-02-04 22:21:59 UTC

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-py package.