[ Reason ]
Fix ReDoS vulnerability in pymatgen: CVE-2022-42964. [1]
[ Impact ]
A crafted Gaussian input string can trigger exponential
backtracking in GaussianInput.from_string, leading to
excessive CPU usage and potential denial of service.
[ Tests ]
The vulnerable code path was tested with the proposed
patch applied.
[ Risks ]
Low risk. The change is limited to the Gaussian input
parser and is a targeted backport of the upstream fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backported upstream patch fixing ReDoS in
GaussianInput.from_string.
[ Other info ]
Testing against the version currently available in bookworm
did not reveal any issues. However, while testing with the
python3.11 version currently in bookworm-proposed-updates,
I observed an autopkgtest failure in a reverse dependency.
At this point it is still unclear whether the issue is caused
by a regression in python3.11 or by the reverse dependency
itself.
As part of that investigation, an existing patch in
python-emmet-core appears to mitigate the observed failure.
If further action is required, a separate bookworm-pu request
will be filed for that package.
@dparsons has reviewed this backport and will sponsor it.