Add patch to fix CVE-2023-26112

0001-Address-CVE-2023-26112-ReDoS.patch

@@ -0,0 +1,51 @@
+From a82ea8fb0338f2bd46cf627c4b763094448e6bd7 Mon Sep 17 00:00:00 2001
+From: cdcadman <mythirty@gmail.com>
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: [PATCH] Address CVE-2023-26112 ReDoS
+
+---
+ src/configobj/validate.py         |  2 +-
+ src/tests/test_validate_errors.py | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
++++ b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+     """
+ 
+     # this regex does the initial parsing of the checks
+-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+     # this regex takes apart keyword arguments
+     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
++++ b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+ 
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+ 
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+     ini.write('[[haha]]')
+     with pytest.raises(NestingError):
+         conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++    value = "aaa"
++    i = 165100
++    attack = '\x00'*i + ')' + '('*i
++    with pytest.raises(VdtUnknownCheckError):
++        val.check(attack, value)
+-- 
+2.40.1
+

python-configobj.spec

@@ -1,6 +1,6 @@
 Name:           python-configobj
 Version:        5.0.8
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Config file reading, writing, and validation
 License:        BSD-3-Clause
 URL:            http://configobj.readthedocs.org/
@@ -10,6 +10,7 @@ URL:            http://configobj.readthedocs.org/
 # https://github.com/DiffSK/configobj/issues/99
 # Source0:        https://pypi.python.org/packages/source/c/configobj/configobj-5.0.6.tar.gz
 Source0:        https://github.com/DiffSK/configobj/archive/v%{version}.tar.gz
+Patch1:         0001-Address-CVE-2023-26112-ReDoS.patch
 BuildArch:      noarch
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
@@ -28,7 +29,7 @@ Requires:       python%{python3_pkgversion}-six
 %description -n python%{python3_pkgversion}-configobj %_description
 
 %prep
-%autosetup -n configobj-%{version}
+%autosetup -p1 -n configobj-%{version}
 
 %build
 %py3_build
@@ -50,6 +51,9 @@ export PYTHONPATH=$(pwd)/build/lib
 %{python3_sitelib}/configobj-%{version}-py%{python3_version}.egg-info
 
 %changelog
+* Mon Oct 09 2023 Terje Rosten <terje.rosten@ntnu.no> - 5.0.8-6
+- Add patch to fix CVE-2023-26112
+
 * Sun Oct 01 2023 Terje Rosten <terje.rosten@ntnu.no> - 5.0.8-5
 - SPDX fix from Daniel P. Berrange