Bug 1219610

Summary: VUL-0: CVE-2024-24762: python-multipart: ReDoS(Regular expression Denial of Service)
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andrea.mattiazzo, camila.matos, daniel.garcia, dmueller, meissner, pgajdos, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393040/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andrea Mattiazzo 2024-02-06 09:22:26 UTC 
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24762
https://www.cve.org/CVERecord?id=CVE-2024-24762
https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
https://github.com/andrew-d/python-multipart/releases/tag/0.0.7

Patch:
https://github.com/andrew-d/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
Comment 1 Andrea Mattiazzo 2024-02-06 09:23:53 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/python-python-multipart  
- openSUSE:Factory/python-python-multipart
Comment 2 Petr Gajdos 2024-02-06 11:33:22 UTC 
Submission into devel project:
https://build.opensuse.org/request/show/1144548
Comment 3 Petr Gajdos 2024-02-07 07:28:07 UTC 
Submission into Factory:
https://build.opensuse.org/request/show/1144633

ALP submission:
https://build.suse.de/request/show/320743
Comment 4 Petr Gajdos 2024-02-08 07:11:42 UTC 
Factory accepted, ALP pending.

I believe all fixed.
Comment 5 OBSbugzilla Bot 2024-03-01 11:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1219610) was mentioned in
https://build.opensuse.org/request/show/1153848 Factory / python-python-multipart
Comment 13 Andrea Mattiazzo 2024-05-16 15:02:30 UTC 
All done, closing.