Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

quoted sections in tag not grouped correctly #366

Closed
zzzeek opened this issue Aug 29, 2022 · 1 comment
Closed

quoted sections in tag not grouped correctly #366

zzzeek opened this issue Aug 29, 2022 · 1 comment
Labels
bug Something isn't working lexer

Comments

@zzzeek
Copy link
Member

zzzeek commented Aug 29, 2022

this will crash the Lexer due to the regex:

from mako.lexer import Lexer
template = "<%0" + '"' * 3000
Lexer(template).parse
@sqla-tester
Copy link
Collaborator

Mike Bayer has proposed a fix for this issue in the main branch:

fix tag regexp to match quoted groups correctly https://gerrit.sqlalchemy.org/c/sqlalchemy/mako/+/4053

@zzzeek zzzeek changed the title issue placeholder quoted sections in tag not grouped correctly Aug 29, 2022
@zzzeek zzzeek added bug Something isn't working lexer labels Aug 29, 2022
jbmchuck added a commit to tableau/altimeter that referenced this issue Sep 16, 2022
jbmchuck added a commit to tableau/altimeter that referenced this issue Sep 16, 2022
sbrunner added a commit to camptocamp/shared_config_manager that referenced this issue Sep 28, 2022
  +==============================================================================+
   VULNERABILITIES FOUND
  +==============================================================================+

  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

Ignore CVE

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

Ignore CVE

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.2.0
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Sep 30, 2022
  -> Vulnerability found in mako version 1.1.3
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.3
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5
Vulnerability ID: 50748
Affected spec: <4.9.1
ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
Dereference allows attackers to cause a denial of service (or application...
CVE-2022-2309
For more information, please visit
https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

-> Vulnerability found in mako version 1.1.3
Vulnerability ID: 50870
Affected spec: <1.2.2
ADVISORY: Mako 1.2.2 includes a fix for a REDoS
vulnerability.sqlalchemy/mako#366
PVE-2022-50870
For more information, please visit
https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/mapfish-print-logs that referenced this issue Sep 30, 2022
-> Vulnerability found in lxml version 4.6.5
Vulnerability ID: 50748
Affected spec: <4.9.1
ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
Dereference allows attackers to cause a denial of service (or application...
CVE-2022-2309
For more information, please visit
https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

-> Vulnerability found in mako version 1.1.3
Vulnerability ID: 50870
Affected spec: <1.2.2
ADVISORY: Mako 1.2.2 includes a fix for a REDoS
vulnerability.sqlalchemy/mako#366
PVE-2022-50870
For more information, please visit
https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Sep 30, 2022
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
   -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
  Title: [1084344] jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
  Severity: moderate
  CWE: CWE-79
  Vulnerable versions: <1.13.2
  Patched versions: >=1.13.2
  Recommendation: Upgrade to version 1.13.2 or later
  Version: 1.13.0
  Path: jquery-ui
  More info: GHSA-h6gj-6jjq-h8g9

  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/ngeo that referenced this issue Oct 3, 2022
   -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 3, 2022
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/

  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 3, 2022
  -> Vulnerability found in lxml version 4.7.1
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/

  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 4, 2022
  -> Vulnerability found in lxml version 4.6.5
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.1.4
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 6, 2022
  -> Vulnerability found in lxml version 4.8.0
     Vulnerability ID: 50748
     Affected spec: <4.9.1
     ADVISORY: Lxml 4.9.1 include a fix for CVE-2022-2309: NULL Pointer
     Dereference allows attackers to cause a denial of service (or application...
     CVE-2022-2309
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-2309/50748/

  -> Vulnerability found in mako version 1.2.0
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49755
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions
     prior to 5.4.0 an error occurring while reallocating a buffer for string...
     CVE-2022-31117
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31117/49755/

  -> Vulnerability found in ujson version 5.2.0
     Vulnerability ID: 49754
     Affected spec: <5.4.0
     ADVISORY: Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect
     handling of invalid surrogate pair...
     CVE-2022-31116
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2022-31116/49754/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 6, 2022
  Title: [1084602] Arbitrary Code Execution in underscore
  Severity: critical
  CWE: CWE-94
  Vulnerable versions: >=1.3.2 <1.12.1
  Patched versions: >=1.12.1
  Recommendation: Upgrade to version 1.12.1 or later
  Version: 1.6.0
  Path: openlayers > nomnom > underscore
  More info: GHSA-cf4h-3jhx-xvhq

  -> Vulnerability found in mako version 1.0.9
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 7, 2022
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Oct 7, 2022
  -> Vulnerability found in mako version 1.1.2
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 19, 2022
  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 38834
     Affected spec: <1.25.9
     ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker
     controls the HTTP request method, as demonstrated by inserting CR and LF...
     CVE-2020-26137
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2020-26137/38834/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 43975
     Affected spec: <1.26.5
     ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue
     was discovered in urllib3 before 1.26.5. When provided with a URL...
     CVE-2021-33503
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
sbrunner added a commit to camptocamp/c2cwsgiutils that referenced this issue Oct 19, 2022
  -> Vulnerability found in mako version 1.1.6
     Vulnerability ID: 50870
     Affected spec: <1.2.2
     ADVISORY: Mako 1.2.2 includes a fix for a REDoS
     vulnerability.sqlalchemy/mako#366
     PVE-2022-50870
     For more information, please visit
     https://pyup.io/vulnerabilities/PVE-2022-50870/50870/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 38834
     Affected spec: <1.25.9
     ADVISORY: Urllib3 before 1.25.9 allows CRLF injection if the attacker
     controls the HTTP request method, as demonstrated by inserting CR and LF...
     CVE-2020-26137
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2020-26137/38834/

  -> Vulnerability found in urllib3 version 1.24.3
     Vulnerability ID: 43975
     Affected spec: <1.26.5
     ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue
     was discovered in urllib3 before 1.26.5. When provided with a URL...
     CVE-2021-33503
     For more information, please visit
     https://pyup.io/vulnerabilities/CVE-2021-33503/43975/
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 1, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: c927983ba7af9895e550018476759dd12fa90452)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 1, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 1, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: 6e1c50a131429cb5cc7b86ea5765c85850f97446)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 1, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpurdie pushed a commit to yoctoproject/poky that referenced this issue Nov 2, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: 49ad6f031458e1f48f24547dc88e41abc4ec41a6)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 2, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj pushed a commit to YoeDistro/poky that referenced this issue Nov 2, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: a32dae12a9beeb5e9d74cd07f8595d0a4bda1850)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Nov 24, 2022
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 49ad6f0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
rickprice pushed a commit to ActiveState/mako that referenced this issue Dec 8, 2023
Fixed issue in lexer where the regexp used to match tags would not
correctly interpret quoted sections individually. While this parsing issue
still produced the same expected tag structure later on, the mis-handling
of quoted sections was also subject to a regexp crash if a tag had a large
number of quotes within its quoted sections.

Fixes: sqlalchemy#366
Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0
(cherry picked from commit 9257602)
daregit pushed a commit to daregit/yocto-combined that referenced this issue May 22, 2024
Released: Thu Sep 22 2022
* bug

 - [bug] [lexer]

   * Fixed issue in lexer in the same category as that of #366 where the regexp
     used to match an end tag didn’t correctly organize for matching characters
     surrounded by whitespace, leading to high memory / interpreter hang if a
     closing tag incorrectly had a large amount of unterminated space in it.
     Credit to Sebastian Chnelik for locating the issue.

    As Mako templates inherently render and directly invoke arbitrary Python
    code from the template source, it is never appropriate to create templates
    that contain untrusted input.

    References: #367

[1] https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.3
[2] sqlalchemy/mako#366
[3] sqlalchemy/mako#367

(From OE-Core rev: 49ad6f031458e1f48f24547dc88e41abc4ec41a6)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working lexer
Projects
None yet
Development

No branches or pull requests

2 participants