On behalf of the Plone/Zope Security Team and the icalendar maintainers,
I announce the following.
Summary:
Component.__eq__ compares subcomponents in O(2^n) time relative to
nesting depth. Because the parser accepts arbitrarily nested components,
a sub-kilobyte .ics file is enough to make a single equality check run
for minutes or hang indefinitely. Any application that compares parsed
components (==, !=, in, set/dict membership, deduplication, test
assertions) against attacker-supplied calendar data is exposed to denial
of service.
icalendar 7.1.0, 7.1.1, and 7.1.2 are affected. It is fixed in icalendar
7.1.3. Earlier versions are not affected.
(Version 7.2.0 was released today, and also has the fix.)
For details see
https://github.com/collective/icalendar/security/advisories/GHSA-cv84-9p8j-fj68
Kind regards,
Maurits van Rees