diff --git a/.gitignore b/.gitignore index d88c7fc..a2d6c7d 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ mpmath-0.15.tar.gz /python-mpmath-1.1.0.tar.gz /python-mpmath-1.2.0.tar.gz /python-mpmath-1.2.1.tar.gz +/python-mpmath-1.3.0.tar.gz diff --git a/570.patch b/570.patch deleted file mode 100644 index e3d2c42..0000000 --- a/570.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c811b37c65a4372a7ce613111d2a508c204f9833 Mon Sep 17 00:00:00 2001 -From: Vinzent Steinberg -Date: Wed, 10 Feb 2021 16:45:04 +0100 -Subject: [PATCH 1/2] Fix ReDOS vulnerability - -Fixes #548, with the workaround suggested by @yetingli. ---- - mpmath/ctx_mp.py | 4 ++-- - mpmath/tests/test_convert.py | 10 ++++++++++ - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/mpmath/ctx_mp.py b/mpmath/ctx_mp.py -index 39fc9411..93594dd4 100644 ---- a/mpmath/ctx_mp.py -+++ b/mpmath/ctx_mp.py -@@ -42,8 +42,8 @@ - - new = object.__new__ - --get_complex = re.compile(r'^\(?(?P[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?)??' -- r'(?P[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?j)?\)?$') -+get_complex = re.compile(r'^\(?(?P[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?)??' -+ r'(?P[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?j)?\)?$') - - if BACKEND == 'sage': - from sage.libs.mpmath.ext_main import Context as BaseMPContext -diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py -index 3e2f5559..cf1a91da 100644 ---- a/mpmath/tests/test_convert.py -+++ b/mpmath/tests/test_convert.py -@@ -194,6 +194,16 @@ def test_mpmathify(): - assert mpmathify('(1.2e-10 - 3.4e5j)') == mpc('1.2e-10', '-3.4e5') - assert mpmathify('1j') == mpc(1j) - -+def test_issue548(): -+ try: -+ # This expression is invalid, but may trigger the ReDOS vulnerability -+ # in the regular expression. -+ mpmathify('(' + '1' * 5000 + '!j') -+ except: -+ return -+ # The expression is invalid and should raise an exception. -+ assert False -+ - def test_compatibility(): - try: - import numpy as np - -From 2865c7d12b2a077d420427ad187eca831a48bff4 Mon Sep 17 00:00:00 2001 -From: Vinzent Steinberg -Date: Wed, 10 Feb 2021 16:47:57 +0100 -Subject: [PATCH 2/2] Improve comment - ---- - mpmath/tests/test_convert.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py -index cf1a91da..cb1db5b5 100644 ---- a/mpmath/tests/test_convert.py -+++ b/mpmath/tests/test_convert.py -@@ -197,7 +197,7 @@ def test_mpmathify(): - def test_issue548(): - try: - # This expression is invalid, but may trigger the ReDOS vulnerability -- # in the regular expression. -+ # in the regular expression for parsing complex numbers. - mpmathify('(' + '1' * 5000 + '!j') - except: - return diff --git a/python-mpmath.spec b/python-mpmath.spec index af86af7..d352e14 100644 --- a/python-mpmath.spec +++ b/python-mpmath.spec @@ -1,5 +1,5 @@ Name: python-mpmath -Version: 1.2.1 +Version: 1.3.0 Release: %autorelease Summary: A pure Python library for multiprecision floating-point arithmetic License: BSD @@ -10,9 +10,6 @@ Source0: https://github.com/fredrik-johansson/mpmath/archive/%{version}/% # Switch to 'traditional' theme in RHEL since 'classic' isn't available Patch0: python-mpmath-1.0.0-sphinx.patch -# #1974835 - CVE-2021-29063 python-mpmath: Regular expression denial of service in the mpmathify function -Patch1: https://github.com/fredrik-johansson/mpmath/pull/570.patch - BuildRequires: python3-devel BuildRequires: python3-pip BuildRequires: python3-setuptools @@ -23,7 +20,12 @@ BuildRequires: xorg-x11-server-Xvfb # For building documentation BuildRequires: dvipng -BuildRequires: tex(latex) +BuildRequires: make +BuildRequires: latexmk +BuildRequires: texlive-collection-basic +BuildRequires: texlive-collection-latexrecommended +BuildRequires: texlive-collection-latexextra +BuildRequires: texlive-collection-fontsrecommended BuildArch: noarch @@ -65,7 +67,6 @@ This package contains the HTML documentation for %{name}. %if 0%{?rhel} == 6 || 0%{?rhel} == 7 %patch0 -p1 -b .sphinx %endif -%patch1 -p1 # Convert line encodings for doc in CHANGES LICENSE README.rst TODO mpmath/tests/runtests.py; do @@ -73,7 +74,7 @@ for doc in CHANGES LICENSE README.rst TODO mpmath/tests/runtests.py; do touch -r $doc $doc.new && \ mv $doc.new $doc done -find doc -name *.txt -exec sed -i "s|\r||g" {} \; +find docs -name *.txt -exec sed -i "s|\r||g" {} \; shebangs="mpmath/matrices/eigen.py mpmath/matrices/eigen_symmetric.py mpmath/tests/runtests.py mpmath/tests/test_eigen.py mpmath/tests/test_eigen_symmetric.py mpmath/tests/test_levin.py" # Get rid of unnecessary shebangs @@ -89,8 +90,8 @@ sed -i -r 's/use_scm_version=True/version="%{version}"/' setup.py %py3_build # Build documentation -cd doc -%{__python3} build.py +%{__python3} setup.py build_sphinx -c docs -b html,latex +make -C build/sphinx/latex all-pdf %install %py3_install @@ -101,12 +102,12 @@ xvfb-run -a pytest-3 -v %files -n python3-mpmath %license LICENSE -%doc CHANGES README.rst TODO +%doc CHANGES README.rst %{python3_sitelib}/mpmath/ %{python3_sitelib}/mpmath-%{version}-*.egg-info %files doc -%doc doc/build/* +%doc build/sphinx/latex/mpmath.pdf build/sphinx/html/ build/sphinx/doctrees/ %changelog %autochangelog diff --git a/sources b/sources index df28092..86a4573 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (python-mpmath-1.2.1.tar.gz) = 2dd908bca26162adcdce0493146d009e04d3d96db965ff2207c332504020fa6f5a5e2af97d38e8fb3e7442a26c1e93a756a8d93b378da720ab7c07753f700d10 +SHA512 (python-mpmath-1.3.0.tar.gz) = ec703e661323035e3c973fc2e52206e793f6182ed9897e5a483cb35a22421d7869df850cdd89fc1ef4e1bb28b17b4914447116dbeed136a687e582cce0bf9e42