Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport fix for bpo-38804 #610

Merged
merged 1 commit into from
Jan 12, 2023
Merged

Conversation

wshanks
Copy link
Contributor

@wshanks wshanks commented Dec 23, 2022

Recently, a CVE was published for this project related to a CVE previously patched in Python. I am not sure if this project is still maintained any more but it is still listed as a dependency by some other popular projects, so it would be good to patch.

The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). The regex contained multiple overlapping \s* capture groups. A long sequence of spaces can trigger bad performance.

See python/cpython#17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS). The regex contained multiple
overlapping \s* capture groups. A long sequence of spaces can trigger
bad performance.

See python/cpython#17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
@mgorny
Copy link
Contributor

mgorny commented Dec 24, 2022

Given the huge pile of patches we're applying in Gentoo to make it work with Python 3.10, I dare say it's as dead as it can get. However, thank you for making a PR nevertheless, as it makes it easier to patch the CVE on our end (and other distros will probably appreciate that too).

I just hope that GitHub's fancy bots will now start flagging the future library as vulnerable and people will actually care to stop using it. OpenStack is particularly in love with it, and it's true horror.

If you wish to help even some, some help in reporting the use of unmaintained library and convincing people to stop using it would be really appreciated. A lot of distro maintainers have been burned out doing exactly this, i.e. fighting the "it is my project, I can do whatever I like, however bad it is for my users" attitude.

@wshanks
Copy link
Contributor Author

wshanks commented Dec 24, 2022

Thanks @mgorny! I saw there was little activity in the commit log and that there were approved PR's sitting unmerged, but I hadn't realized that the package was actually not working in recent Python versions without patching.

Some good news for you is that a bot flagging CVE's in my subdependencies (though not GitHub's bot) was what led me here.

I will try to encourage future be dropped from packages I depend on. I thought the CVE should at least be acknowledged somewhere on the repo which might help with that. Also, your comment here should help.

Luckily for me, my dependencies seem to be only referencing builtins and just need to drop future from their dependencies without any code changes.

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jan 6, 2023
@sfdye sfdye merged commit 02f7a81 into PythonCharmers:master Jan 12, 2023
@sfdye
Copy link
Collaborator

sfdye commented Jan 12, 2023

Thanks for the fix! Now I just need to figure out how to create a release (and upload to pypi) for this project, as the last time I did was a few years ago..

@sfdye
Copy link
Collaborator

sfdye commented Jan 13, 2023

0.18.3 released!
https://pypi.org/project/future/0.18.3/

@wshanks wshanks deleted the wshanks-patch-1 branch January 23, 2023 16:36
@wshanks
Copy link
Contributor Author

wshanks commented Jan 23, 2023

Nice, @sfdye. I feel like there might not be much motivation for maintaining this package going forward, since most of the community has migrated to Python 3 by now. From what @mgorny said, there are issues with using future on recent versions of Python 3. I don't know the details of those, but I imagine there are a lot of Python packages that just left future in their dependencies even though they do not use it in Python 3 (based on all the references to this PR above). I wonder if something could be done from the future side to encourage projects to move on, like a notice in the readme about the current level maintenace (unless someone wants to review and merge PR's about compatibility with 3.10 and 3.11 but I don't see the motivation).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants