[Debichem-devel] Bug#1138216: bookworm-pu: package python3-pymatgen/2022.11.7+dfsg1-11+deb12u2

Matheus Polkorny mpolkorny at gmail.com
Fri May 29 15:45:10 BST 2026 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python3-pymatgen at packages.debian.org
Control: affects -1 + src:python3-pymatgen
User: release.debian.org at packages.debian.org
Usertags: pu bsp-2026-05-07-brazil

[ Reason ]
Fix ReDoS vulnerability in pymatgen: CVE-2022-42964. [1]

[ Impact ]
A crafted Gaussian input string can trigger exponential
backtracking in GaussianInput.from_string, leading to
excessive CPU usage and potential denial of service.

[ Tests ]
The vulnerable code path was tested with the proposed
patch applied.

[ Risks ]
Low risk. The change is limited to the Gaussian input
parser and is a targeted backport of the upstream fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream patch fixing ReDoS in
GaussianInput.from_string.

[ Other info ]
Testing against the version currently available in bookworm
did not reveal any issues. However, while testing with the
python3.11 version currently in bookworm-proposed-updates,
I observed an autopkgtest failure in a reverse dependency.

At this point it is still unclear whether the issue is caused
by a regression in python3.11 or by the reverse dependency
itself.

As part of that investigation, an existing patch in
python-emmet-core appears to mitigate the observed failure.
If further action is required, a separate bookworm-pu request
will be filed for that package.

@dparsons has reviewed this backport and will sponsor it.
-------------- next part --------------
diff -Nru pymatgen-2022.11.7+dfsg1/debian/changelog pymatgen-2022.11.7+dfsg1/debian/changelog
--- pymatgen-2022.11.7+dfsg1/debian/changelog	2024-08-28 10:15:13.000000000 -0300
+++ pymatgen-2022.11.7+dfsg1/debian/changelog	2026-05-27 08:45:16.000000000 -0300
@@ -1,3 +1,12 @@
+pymatgen (2022.11.7+dfsg1-11+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches:
+    - CVE-2022-42964: Import and backport patch (Closes: #1024017)
+      (Fix exponential ReDoS in GaussianInput.from_string method)
+
+ -- Matheus Polkorny <mpolkorny at gmail.com>  Wed, 27 May 2026 08:45:16 -0300
+
 pymatgen (2022.11.7+dfsg1-11+deb12u1) bookworm-security; urgency=medium
 
   * CVE-2024-23346 (Closes: #1064514)
diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch
--- pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch	1969-12-31 21:00:00.000000000 -0300
+++ pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2022-42964.patch	2026-05-27 08:45:16.000000000 -0300
@@ -0,0 +1,24 @@
+From: Luis Barroso-Luque <lbluque at users.noreply.github.com>
+Date: Tue, 12 Aug 2025 17:03:47 -0700
+Subject: patch ReDOS vulnerability:
+ https://salsa.debian.org/debichem-team/pymatgen/-/commit/dcba4226dfc59789070bd1f7aa40b953e7722651
+ (#4476)
+
+Origin: upstream, https://github.com/materialsproject/pymatgen/commit/0f5c4af439817a7742dc2d4608357cc252f655f8
+---
+ pymatgen/io/gaussian.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pymatgen/io/gaussian.py b/pymatgen/io/gaussian.py
+index c17bdbc..76fbae8 100644
+--- a/pymatgen/io/gaussian.py
++++ b/pymatgen/io/gaussian.py
+@@ -90,7 +90,7 @@ class GaussianInput:
+     """
+ 
+     # Commonly used regex patterns
+-    _zmat_patt = re.compile(r"^(\w+)*([\s,]+(\w+)[\s,]+(\w+))*[\-\.\s,\w]*$")
++    _zmat_patt = re.compile(r"^(\w+)([\s,]+(\w+)[\s,]+(\w+)){0,3}[\-\.\s,\w]*$")
+     _xyz_patt = re.compile(r"^(\w+)[\s,]+([\d\.eE\-]+)[\s,]+([\d\.eE\-]+)[\s,]+" r"([\d\.eE\-]+)[\-\.\s,\w.]*$")
+ 
+     def __init__(
diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/series pymatgen-2022.11.7+dfsg1/debian/patches/series
--- pymatgen-2022.11.7+dfsg1/debian/patches/series	2024-08-28 10:15:13.000000000 -0300
+++ pymatgen-2022.11.7+dfsg1/debian/patches/series	2026-05-27 08:45:16.000000000 -0300
@@ -12,3 +12,4 @@
 stress_fp_approx_2839.patch
 no_mp_api.patch
 CVE-2024-23346.patch
+CVE-2022-42964.patch

More information about the Debichem-devel mailing list