diff -Nru python-future-0.18.2/debian/changelog python-future-0.18.2/debian/changelog --- python-future-0.18.2/debian/changelog 2022-05-25 19:40:53.000000000 +0000 +++ python-future-0.18.2/debian/changelog 2023-01-25 08:40:55.000000000 +0000 @@ -1,3 +1,12 @@ +python-future (0.18.2-6ubuntu1) lunar; urgency=medium + + * SECURITY UPDATE: ReDOS through Set-Cookie header + - debian/patches/CVE-2022-40899.patch: Fix overlapping \s* + regex groups in src/future/backports/http/cookiejar.py. + - CVE-2022-40899 + + -- David Fernandez Gonzalez Wed, 25 Jan 2023 09:40:55 +0100 + python-future (0.18.2-6) unstable; urgency=medium * Set upstream metadata fields: Repository, Repository-Browse. diff -Nru python-future-0.18.2/debian/control python-future-0.18.2/debian/control --- python-future-0.18.2/debian/control 2022-05-25 19:40:53.000000000 +0000 +++ python-future-0.18.2/debian/control 2023-01-25 08:40:55.000000000 +0000 @@ -1,7 +1,8 @@ Source: python-future Section: python Priority: optional -Maintainer: Debian Python Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Python Team Uploaders: Vincent Bernat Build-Depends: debhelper-compat (= 13), dh-python, diff -Nru python-future-0.18.2/debian/patches/CVE-2022-40899.patch python-future-0.18.2/debian/patches/CVE-2022-40899.patch --- python-future-0.18.2/debian/patches/CVE-2022-40899.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-future-0.18.2/debian/patches/CVE-2022-40899.patch 2023-01-25 08:40:55.000000000 +0000 @@ -0,0 +1,52 @@ +From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001 +From: Will Shanks +Date: Fri, 23 Dec 2022 13:38:26 -0500 +Subject: [PATCH] Backport fix for bpo-38804 + +The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular +expression denial of service (REDoS). The regex contained multiple +overlapping \s* capture groups. A long sequence of spaces can trigger +bad performance. + +See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ +--- + src/future/backports/http/cookiejar.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py +index af3ef415..0ad80a02 100644 +--- a/src/future/backports/http/cookiejar.py ++++ b/src/future/backports/http/cookiejar.py +@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): + (?::(\d\d))? # optional seconds + )? # optional clock + \s* +- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone ++ (?: ++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone ++ \s* ++ )? ++ (?: ++ \(\w+\) # ASCII representation of timezone in parens. + \s* +- (?:\(\w+\))? # ASCII representation of timezone in parens. +- \s*$""", re.X | re.ASCII) ++ )?$""", re.X | re.ASCII) + def http2time(text): + """Returns time in seconds since epoch of time represented by a string. + +@@ -298,9 +302,11 @@ def http2time(text): + (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) + )? # optional clock + \s* +- ([-+]?\d\d?:?(:?\d\d)? +- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) +- \s*$""", re.X | re. ASCII) ++ (?: ++ ([-+]?\d\d?:?(:?\d\d)? ++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) ++ \s* ++ )?$""", re.X | re. ASCII) + def iso2time(text): + """ + As for http2time, but parses the ISO 8601 formats: diff -Nru python-future-0.18.2/debian/patches/series python-future-0.18.2/debian/patches/series --- python-future-0.18.2/debian/patches/series 2022-05-25 19:40:53.000000000 +0000 +++ python-future-0.18.2/debian/patches/series 2023-01-25 08:40:55.000000000 +0000 @@ -4,3 +4,4 @@ 0005-Fixed-bytes-unit-tests-fail-on-Python-3.5.patch #Python3.7-support.patch no-dummy-thread.patch +CVE-2022-40899.patch