diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2024-12-21 18:18:53 +0100 |
|---|---|---|
| committer | git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> | 2025-01-11 17:11:59 +0000 |
| commit | 76335e6d85d902867bf7b40da2696c485f92d6ea (patch) | |
| tree | 127af43fa0bce893e4126c175c3b042ab3118580 | |
| parent | e8c147c8386ac292a58d16dd314631b293f33c8c (diff) | |
0.4.2-1+deb12u1 (patches unapplied)import/0.4.2-1+deb12u1debian/bookworm
Imported using git-ubuntu import.
Notes
Notes:
* Non-maintainer upload.
* Fix CVE-2023-30608: Parser contains a regular expression that is
vulnerable to ReDOS. (Closes: #1034615)
* Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
Service. (Closes: #1070148)
* Adjust d/salsa-ci.yml for bookworm.
| -rw-r--r-- | debian/changelog | 11 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-30608.patch | 47 | ||||
| -rw-r--r-- | debian/patches/CVE-2024-4340.patch | 78 | ||||
| -rw-r--r-- | debian/patches/series | 2 | ||||
| -rw-r--r-- | debian/salsa-ci.yml | 5 |
5 files changed, 143 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 78ed9c2..5286408 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +sqlparse (0.4.2-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2023-30608: Parser contains a regular expression that is + vulnerable to ReDOS. (Closes: #1034615) + * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of + Service. (Closes: #1070148) + * Adjust d/salsa-ci.yml for bookworm. + + -- Guilhem Moulin <guilhem@debian.org> Sat, 21 Dec 2024 18:18:53 +0100 + sqlparse (0.4.2-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch new file mode 100644 index 0000000..5295c07 --- /dev/null +++ b/debian/patches/CVE-2023-30608.patch @@ -0,0 +1,47 @@ +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. + +Origin: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb +Bug: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-30608 +Bug-Debian: https://bugs.debian.org/1034615 +--- + sqlparse/keywords.py | 4 ++-- + tests/test_split.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py +index 6850628..4e97477 100644 +--- a/sqlparse/keywords.py ++++ b/sqlparse/keywords.py +@@ -66,9 +66,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +diff --git a/tests/test_split.py b/tests/test_split.py +index a9d7576..e79750e 100644 +--- a/tests/test_split.py ++++ b/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff --git a/debian/patches/CVE-2024-4340.patch b/debian/patches/CVE-2024-4340.patch new file mode 100644 index 0000000..56fa237 --- /dev/null +++ b/debian/patches/CVE-2024-4340.patch @@ -0,0 +1,78 @@ +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: Raise SQLParseError instead of RecursionError. + +Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 +Origin: https://github.com/andialbrecht/sqlparse/commit/29f2e0a6609ddc1fa248faef1bc41616043c544e +Bug: https://github.com/advisories/GHSA-2m57-hf25-phgg +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-4340 +Bug-Debian: https://bugs.debian.org/1070148 +--- + sqlparse/sql.py | 14 +++++++++----- + tests/test_regressions.py | 16 ++++++++++++++++ + 2 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 6a32c26..ffffc77 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index 38d1840..29311ea 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,7 +1,10 @@ ++import sys ++ + import pytest + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -418,3 +421,16 @@ def test_splitting_at_and_backticks_issue588(): + 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;') + assert len(splitted) == 2 + assert splitted[-1] == 'grant bar to user1@`myhost`;' ++ ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(100) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 1000 + ']' * 1000) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..9d732e6 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2023-30608.patch +CVE-2024-4340.patch diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 33c3a64..e59a419 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -2,3 +2,8 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 |
