Headline
Ubuntu Security Notice USN-7040-1
Ubuntu Security Notice 7040-1 - It was discovered that ConfigObj contains regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a regular expression denial of service.
==========================================================================
Ubuntu Security Notice USN-7040-1
September 26, 2024
configobj vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
ConfigObj could be made to crash if it received specially crafted input.
Software Description:
- configobj: simple but powerful config file reader and writer for Python
Details:
It was discovered that ConfigObj contains regex that is susceptible to
catastrophic backtracking. An attacker could possibly use this issue to
cause a regular expression denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
python3-configobj 5.0.6-5ubuntu0.1
Ubuntu 20.04 LTS
python3-configobj 5.0.6-4ubuntu0.1
Ubuntu 18.04 LTS
python-configobj 5.0.6-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro
python3-configobj 5.0.6-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-configobj 5.0.6-2ubuntu0.16.04.1~esm1
Available with Ubuntu Pro
python3-configobj 5.0.6-2ubuntu0.16.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7040-1
CVE-2023-26112
Package Information:
https://launchpad.net/ubuntu/+source/configobj/5.0.6-5ubuntu0.1
https://launchpad.net/ubuntu/+source/configobj/5.0.6-4ubuntu0.1
Related news
Ubuntu Security Notice 7040-2 - USN-7040-1 fixed a vulnerability in ConfigObj. This update provides the corresponding update for Ubuntu 14.04 LTS. It was discovered that ConfigObj contains regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a regular expression denial of service.
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.