Bug 1215274

Summary: python-python-rpm-spec: DoS on carefully crafted RPM spec files
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin Schreiner <martin.schreiner>
Component: PythonAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: david.anes, martin.schreiner, mcepl, mmachova
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch file fixing the issue

Description Martin Schreiner 2023-09-13 06:36:08 UTC 
Created attachment 869468 [details]
patch file fixing the issue

Currently, it's possible to trick replace_macros() to never return, causing a DoS to software using this library with carefully crafted spec files.

The offending code in replace_macros() may be found here:
https://github.com/bkircher/python-rpm-spec/blob/ef0f2daa77d49480446423abefe90c07aa2f9aa8/pyrpm/spec.py#L558

Upstream issue, reported by David Anes, who also contributed the patch we're submitting:
https://github.com/bkircher/python-rpm-spec/issues/61
Comment 1 Markéta Machová 2023-09-14 07:19:52 UTC 
Fixed in Factory with https://build.opensuse.org/request/show/1111023 (thanks!).

Does this affect also the version in Leap?
Comment 2 Matej Cepl 2023-10-30 07:17:05 UTC 
(In reply to Markéta Machová from comment #1)
> Does this affect also the version in Leap?

It doesn’t seem to be outside of Factory at all:

 $ isc se -V python-python-rpm-spec
No matches found for 'python-python-rpm-spec' in projects
####################################################################
matches for 'python-python-rpm-spec' in packages:

# Project          # Package               # Ver   Rev  Srcmd5
SUSE:Factory:Head  python-python-rpm-spec  0.14.1  6    f7b82e06eaa8d47edc8030a73e627249
 $
Comment 3 Matej Cepl 2023-10-30 07:19:45 UTC 
Actually, it is in Leap only:

openSUSE:Leap:15.1                                 python-python-rpm-spec  0.8     2    22c0bbbe9f2eb03417e3914737544183
openSUSE:Leap:15.2                                 python-python-rpm-spec  0.8     3    22c0bbbe9f2eb03417e3914737544183

So, somebody who cares about Leap should probably update that package to something more reasonable.