CVE-2022-42969

描述

### Withdrawn Advisory This advisory has been withdrawn because evidence does not suggest that CVE-2022-42969 is a valid, reproducible vulnerability. This link is maintained to preserve external references. ### Original Description The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. The particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.

受影響套件(4)

• Debian/python-pyfrom 0
• PyPI/pyfrom 0, <= 1.11.0
• PyPI/pyfrom 0, <= 1.11.0
• PyPI/py

CVSS 分數

參考連結(12)

• ADVISORYhttps://github.com/advisories/GHSA-w596-4wvx-j9j6
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-42969
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-42969
• PATCHhttps://github.com/pytest-dev/py
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/py/PYSEC-2022-42969.yaml
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/py/PYSEC-2022-43183.yaml
• WEBhttps://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316
• WEBhttps://github.com/pytest-dev/py/issues/287
• WEBhttps://github.com/pytest-dev/py/issues/288
• WEBhttps://github.com/pytest-dev/pytest/issues/10392
• WEBhttps://news.ycombinator.com/item?id=34163710
• WEBhttps://pypi.org/project/py