2142925 – CVE-2022-42966 python-cleo: exponential ReDoS in cleo leads to denial of service [fedora-35]

Bug 2142925 - CVE-2022-42966 python-cleo: exponential ReDoS in cleo leads to denial of service [fedora-35]

Summary: CVE-2022-42966 python-cleo: exponential ReDoS in cleo leads to denial of serv...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-cleo
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomáš Hrnčiar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2022-42966
TreeView+	depends on / blocked

Reported:	2022-11-15 14:05 UTC by TEJ RATHI
Modified:	2022-12-08 14:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-12-08 14:26:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description TEJ RATHI 2022-11-15 14:05:07 UTC

More information about this security flaw is available in the following bug:

http://bugzilla.redhat.com/show_bug.cgi?id=2142924

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 TEJ RATHI 2022-11-15 14:05:11 UTC

Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug.  This will ensure that all associated bugs get updated
when new packages are pushed to stable.

=====

# bugfix, security, enhancement, newpackage (required)
type=security

# low, medium, high, urgent (required)
severity=medium

# testing, stable
request=testing

# Bug numbers: 1234,9876
bugs=2142924,2142925

# Description of your update
notes=Security fix for [PUT CVEs HERE]

# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3

# Automatically close bugs when this marked as stable
close_bugs=True

# Suggest that users restart after update
suggest_reboot=False

======

Additionally, you may opt to use the bodhi web interface to submit updates:

https://bodhi.fedoraproject.org/updates/new

Comment 2 Petr Viktorin (pviktori) 2022-11-23 13:23:45 UTC

PR: https://github.com/python-poetry/cleo/pull/285 

This is only released in 1.0.0, which probably has incompatible changes, so we can't update in stable Fedora.
We might be able to backport.

Comment 3 Ben Cotton 2022-11-29 19:03:35 UTC

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 4 Tomáš Hrnčiar 2022-12-08 14:26:19 UTC

I am gonna close this as WONTFIX, stable Fedoras are not affected and we won't update them to newer versions due to incompatible changes. I plan to update cleo in rawhide, but the latest version should contain the fix hence the backport won't be necessary.

Note You need to log in before you can comment on or make changes to this bug.