Bug 1221530 (CVE-2024-21503)

Summary: VUL-0: CVE-2024-21503: python-black: catastrophic performance on docstrings that contain large numbers of leading tab characters
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397981/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-21503:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2024-03-18 06:33:56 UTC 
Security update Black 24.3.0:

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

Stable style

* Don't move comments along with delimiters, which could cause crashes (#4248)  
* Strengthen AST safety check to catch more unsafe changes to strings. Previous 
  versions of Black would incorrectly format the contents of certain unusual 
  f-strings containing nested strings with the same quote type. Now, Black will 
  crash on such strings until support for the new f-string syntax is implemented.   
  (#4270)
* Fix a bug where line-ranges exceeding the last code line would not work as 
  expected (#4273)

Performance

* Fix catastrophic performance on docstrings that contain large numbers of 
  leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

* Note what happens when --check is used with --quiet (#4236)

References:
https://github.com/psf/black/releases/tag/24.3.0
https://black.readthedocs.io/en/stable/change_log.html#id1
Comment 3 Dirk Mueller 2024-07-11 15:59:46 UTC 
submitted SLE15-SP4 also via version update (should be fully backward compatible)
Comment 5 Maintenance Automation 2024-07-15 12:36:09 UTC 
SUSE-SU-2024:2481-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221530
CVE References: CVE-2024-21503
Maintenance Incident: [SUSE:Maintenance:34752](https://smelt.suse.de/incident/34752/)
Sources used:
openSUSE Leap 15.4 (src):
 python-black-24.3.0-150400.9.8.1
openSUSE Leap 15.6 (src):
 python-black-24.3.0-150400.9.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.