2128977 – (CVE-2022-40023) CVE-2022-40023 mako: REDoS in Lexer class

Bug 2128977 (CVE-2022-40023) - CVE-2022-40023 mako: REDoS in Lexer class

Summary: CVE-2022-40023 mako: REDoS in Lexer class

Keywords:
Status:	NEW
Alias:	CVE-2022-40023
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2128978 2128979 2128981 2129690 2129691 2129692 2133604 2133606 2129693 2129694 2129695 2129696 2133605
Blocks:	2125131
TreeView+	depends on / blocked

Reported:	2022-09-22 07:42 UTC by Avinash Hanwate
Modified:	2023-01-04 11:29 UTC (History)
CC List:	30 users (show)
Fixed In Version:	mako 1.2.2
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the mako package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2022-09-22 07:42:56 UTC

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
https://github.com/sqlalchemy/mako/issues/366
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html

Comment 1 Avinash Hanwate 2022-09-22 07:48:24 UTC

Created python-pecan tracking bugs for this issue:

Affects: epel-all [bug 2128979]
Affects: fedora-all [bug 2128978]

Comment 2 Avinash Hanwate 2022-09-22 07:50:05 UTC

Created python-pecan tracking bugs for this issue:

Affects: openstack-rdo [bug 2128981]

Comment 4 Timothée Floure 2022-09-24 15:07:46 UTC

This package is a wayland notification daemon, not the python templating library: this bug is in the wrong place.

Comment 5 Timothée Floure 2022-09-24 15:11:33 UTC

You want the python-mako [1] package - adding its maintainer to the CC list.

[1] https://src.fedoraproject.org/rpms/python-mako

Note You need to log in before you can comment on or make changes to this bug.

aekoroglu
agk
amoralej
aoconnor
apevec
bdettelb
bniver
cluster-maint
dking
eglynn
fdinitto
flucifre
gmeno
jjoyce
jschluet
lhh
mbenjamin
mburns
mgarciac
mhackett
nobody
oalbrigt
openstack-sig
python-maint
rhos-maint
sostapov
spower
srevivo
timothee.floure
vereddy