import python-mako-1.1.4-6.el9

SOURCES/python-mako-1.1.14-CVE-2022-40023.patch

@@ -0,0 +1,87 @@
+From 0969203d36a128f42d7e4025ca29b5dfa74e1a21 Mon Sep 17 00:00:00 2001
+From: Mike Bayer <mike_mp@zzzcomputing.com>
+Date: Mon, 29 Aug 2022 12:28:52 -0400
+Subject: [PATCH] fix tag regexp to match quoted groups correctly
+
+Fixed issue in lexer where the regexp used to match tags would not
+correctly interpret quoted sections individually. While this parsing issue
+still produced the same expected tag structure later on, the mis-handling
+of quoted sections was also subject to a regexp crash if a tag had a large
+number of quotes within its quoted sections.
+
+Fixes: #366
+Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0
+---
+ doc/build/unreleased/366.rst |  9 +++++++++
+ mako/lexer.py                | 12 ++++++++----
+ test/test_lexer.py           |  4 ++++
+ 3 files changed, 21 insertions(+), 4 deletions(-)
+ create mode 100644 doc/build/unreleased/366.rst
+
+diff --git a/doc/build/unreleased/366.rst b/doc/build/unreleased/366.rst
+new file mode 100644
+index 0000000..27b0278
+--- /dev/null
++++ b/doc/build/unreleased/366.rst
+@@ -0,0 +1,9 @@
++.. change::
++    :tags: bug, lexer
++    :tickets: 366
++
++    Fixed issue in lexer where the regexp used to match tags would not
++    correctly interpret quoted sections individually. While this parsing issue
++    still produced the same expected tag structure later on, the mis-handling
++    of quoted sections was also subject to a regexp crash if a tag had a large
++    number of quotes within its quoted sections.
+\ No newline at end of file
+diff --git a/mako/lexer.py b/mako/lexer.py
+index 6226e26..c8eee6f 100644
+--- a/mako/lexer.py
++++ b/mako/lexer.py
+@@ -295,20 +295,24 @@ class Lexer(object):
+         return self.template
+ 
+     def match_tag_start(self):
+-        match = self.match(
+-            r"""
++        reg = r"""
+             \<%     # opening tag
+ 
+             ([\w\.\:]+)   # keyword
+ 
+-            ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*)  # attrname, = \
++            ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*)  # attrname, = \
+                                                #        sign, string expression
++                                               # comma is for backwards compat
++                                               # identified in #366
+ 
+             \s*     # more whitespace
+ 
+             (/)?>   # closing
+ 
+-            """,
++        """
++
++        match = self.match(
++            reg,
+             re.I | re.S | re.X,
+         )
+ 
+diff --git a/test/test_lexer.py b/test/test_lexer.py
+index 9807961..7d4b146 100644
+--- a/test/test_lexer.py
++++ b/test/test_lexer.py
+@@ -146,6 +146,10 @@ class LexerTest(TemplateTest):
+         """
+         self.assertRaises(exceptions.CompileException, Lexer(template).parse)
+ 
++    def test_tag_many_quotes(self):
++        template = "<%0" + '"' * 3000
++        self.assertRaises(exceptions.SyntaxException, Lexer(template).parse)
++
+     def test_unmatched_tag(self):
+         template = """
+         <%namespace name="bar">
+-- 
+2.38.1
+

SPECS/python-mako.spec

@@ -1,6 +1,6 @@
 Name: python-mako
 Version: 1.1.4
-Release: 5%{?dist}
+Release: 6%{?dist}
 BuildArch: noarch
 
 # Mostly MIT, but _ast_util.py is Python licensed.
@@ -9,6 +9,8 @@ License: (MIT and Python) and (BSD or GPLv2)
 Summary: Mako template library for Python
 URL: http://www.makotemplates.org/
 Source0: https://github.com/sqlalchemy/mako/archive/rel_%(echo %{version} | sed "s/\./_/g").tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133606
+Patch0:  python-mako-1.1.14-CVE-2022-40023.patch
 
 BuildRequires: python3-devel
 BuildRequires: python3-pytest
@@ -89,6 +91,9 @@ pytest-3
 
 
 %changelog
+* Thu Nov 17 2022 David King <amigadave@amigadave.com> - 1.1.4-6
+- Fix CVE-2022-40023 (#2133606)
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.4-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688