Bug 2184017 (CVE-2023-26112)

Summary: CVE-2023-26112 python-configobj: Regular expression denial of service exists in ./src/configobj/validate.py
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eterrell, nboldt, python-maint, scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-configobj via the Validator function at python-configobj/validate.py. This issue only occurs in the case of a developer putting the offending value in a server side configuration file, which could lead to a Regular Expression Denial of Service (ReDoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2224088, 2224089, 2224110, 2224111    
Bug Blocks: 2223660    

Description Pedro Sampaio 2023-04-03 13:02:11 UTC 
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References:

https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494
https://github.com/DiffSK/configobj/issues/232
Comment 2 Pedro Sampaio 2023-07-19 18:36:03 UTC 
Created python-configobj tracking bugs for this issue:

Affects: fedora-all [bug 2224088]


Created python3-configobj tracking bugs for this issue:

Affects: epel-7 [bug 2224089]