Bug 2184017 (CVE-2023-26112) - CVE-2023-26112 python-configobj: Regular expression denial of service exists in ./src/configobj/validate.py
Summary: CVE-2023-26112 python-configobj: Regular expression denial of service exists ...
Keywords:
Status: NEW
Alias: CVE-2023-26112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2224089 2224088 2224110 2224111
Blocks: 2223660
TreeView+ depends on / blocked
 
Reported: 2023-04-03 13:02 UTC by Pedro Sampaio
Modified: 2023-07-19 20:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-configobj via the Validator function at python-configobj/validate.py. This issue only occurs in the case of a developer putting the offending value in a server side configuration file, which could lead to a Regular Expression Denial of Service (ReDoS).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-04-03 13:02:11 UTC 
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References:

https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494
https://github.com/DiffSK/configobj/issues/232
Comment 2 Pedro Sampaio 2023-07-19 18:36:03 UTC 
Created python-configobj tracking bugs for this issue:

Affects: fedora-all [bug 2224088]


Created python3-configobj tracking bugs for this issue:

Affects: epel-7 [bug 2224089]
Note You need to log in before you can comment on or make changes to this bug.