2128977 – (CVE-2022-40023) CVE-2022-40023 python-mako: REDoS in Lexer class

Bug 2128977 (CVE-2022-40023) - CVE-2022-40023 python-mako: REDoS in Lexer class

Summary: CVE-2022-40023 python-mako: REDoS in Lexer class

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-40023
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2128979 2129692 2128978 2128981 2129690 2129691 2129693 2129694 2129695 2129696 2133604 2133605 2133606 2258851
Blocks:	2125131
TreeView+	depends on / blocked

Reported:	2022-09-22 07:42 UTC by Avinash Hanwate
Modified:	2024-01-17 17:00 UTC (History)
CC List:	31 users (show)
Fixed In Version:	mako 1.2.2
Clone Of:
Environment:
Last Closed:	2023-05-16 16:51:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:2258	0	None	None	None	2023-05-09 07:23:23 UTC
Red Hat Product Errata	RHSA-2023:2893	0	None	None	None	2023-05-16 08:25:19 UTC

Description Avinash Hanwate 2022-09-22 07:42:56 UTC

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
https://github.com/sqlalchemy/mako/issues/366
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html

Comment 1 Avinash Hanwate 2022-09-22 07:48:24 UTC

Created python-pecan tracking bugs for this issue:

Affects: epel-all [bug 2128979]
Affects: fedora-all [bug 2128978]

Comment 2 Avinash Hanwate 2022-09-22 07:50:05 UTC

Created python-pecan tracking bugs for this issue:

Affects: openstack-rdo [bug 2128981]

Comment 4 Timothée Floure 2022-09-24 15:07:46 UTC

This package is a wayland notification daemon, not the python templating library: this bug is in the wrong place.

Comment 5 Timothée Floure 2022-09-24 15:11:33 UTC

You want the python-mako [1] package - adding its maintainer to the CC list.

[1] https://src.fedoraproject.org/rpms/python-mako

Comment 19 errata-xmlrpc 2023-05-09 07:23:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2258 https://access.redhat.com/errata/RHSA-2023:2258

Comment 20 errata-xmlrpc 2023-05-16 08:25:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2893 https://access.redhat.com/errata/RHSA-2023:2893

Comment 21 Product Security DevOps Team 2023-05-16 16:51:37 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-40023

Note You need to log in before you can comment on or make changes to this bug.

aekoroglu
agk
amoralej
aoconnor
apevec
bdettelb
bniver
cluster-maint
dking
eglynn
fdinitto
flucifre
gmeno
jjoyce
jschluet
kdreyer
lhh
mbenjamin
mburns
mgarciac
mhackett
nobody
oalbrigt
openstack-sig
python-maint
rhos-maint
sostapov
spower
srevivo
timothee.floure
vereddy