From 31dbb4b075b4710e3adac7ac998a02aaeb2c5d3d Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Fri, 15 Oct 2021 15:21:37 +0100 Subject: [PATCH 1/2] Fix ReDoS in regex. --- Lib/ldap/schema/tokenizer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py index 69823f2b..623b86d5 100644 --- a/Lib/ldap/schema/tokenizer.py +++ b/Lib/ldap/schema/tokenizer.py @@ -13,7 +13,7 @@ r"|" # or r"([^'$()\s]+)" # string of length >= 1 without '$() or whitespace r"|" # or - r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))" + r"('(?:[^'\\]|\\.)*'(?!\w))" # any string or empty string surrounded by unescaped # single quotes except if right quote is succeeded by # alphanumeric char From 8f80091de2dd2f33c9fb56152e7579ef782901fd Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Nov 2021 15:42:22 +0100 Subject: [PATCH 2/2] Add release note --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 92d9d414..c358fa9e 100644 --- a/CHANGES +++ b/CHANGES @@ -14,6 +14,11 @@ The following undocumented functions are deprecated and scheduled for removal: - ``ldap.cidict.strlist_minus`` - ``ldap.cidict.strlist_union`` +Security fixes: +* Fix inefficient regular expression which allows denial-of-service attacks + when parsing specially-crafted LDAP schema. + (GHSL-2021-117) + Changes: * On MacOS, remove option to make LDAP connections from a file descriptor when built with the system libldap (which lacks the underlying function,