summaryrefslogtreecommitdiff
diff options
authorGuilhem Moulin <guilhem@debian.org>2024-12-21 18:18:53 +0100
committergit-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com>2025-01-11 17:11:59 +0000
commit76335e6d85d902867bf7b40da2696c485f92d6ea (patch)
tree127af43fa0bce893e4126c175c3b042ab3118580
parente8c147c8386ac292a58d16dd314631b293f33c8c (diff)
0.4.2-1+deb12u1 (patches unapplied)import/0.4.2-1+deb12u1debian/bookworm
Imported using git-ubuntu import.
Notes
Notes: * Non-maintainer upload. * Fix CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS. (Closes: #1034615) * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of Service. (Closes: #1070148) * Adjust d/salsa-ci.yml for bookworm.
-rw-r--r--debian/changelog11
-rw-r--r--debian/patches/CVE-2023-30608.patch47
-rw-r--r--debian/patches/CVE-2024-4340.patch78
-rw-r--r--debian/patches/series2
-rw-r--r--debian/salsa-ci.yml5
5 files changed, 143 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 78ed9c2..5286408 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+sqlparse (0.4.2-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-30608: Parser contains a regular expression that is
+ vulnerable to ReDOS. (Closes: #1034615)
+ * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
+ Service. (Closes: #1070148)
+ * Adjust d/salsa-ci.yml for bookworm.
+
+ -- Guilhem Moulin <guilhem@debian.org> Sat, 21 Dec 2024 18:18:53 +0100
+
sqlparse (0.4.2-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch
new file mode 100644
index 0000000..5295c07
--- /dev/null
+++ b/debian/patches/CVE-2023-30608.patch
@@ -0,0 +1,47 @@
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
+Bug: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-30608
+Bug-Debian: https://bugs.debian.org/1034615
+---
+ sqlparse/keywords.py | 4 ++--
+ tests/test_split.py | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index 6850628..4e97477 100644
+--- a/sqlparse/keywords.py
++++ b/sqlparse/keywords.py
+@@ -66,9 +66,9 @@ SQL_REGEX = {
+ (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
+ tokens.Number.Float),
+ (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
++ (r"'(''|\\'|[^'])*'", tokens.String.Single),
+ # not a real string literal in ANSI SQL:
+- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
+ (r'(""|".*?[^\\]")', tokens.String.Symbol),
+ # sqlite names can be escaped with [square brackets]. left bracket
+ # cannot be preceded by word character or a right bracket --
+diff --git a/tests/test_split.py b/tests/test_split.py
+index a9d7576..e79750e 100644
+--- a/tests/test_split.py
++++ b/tests/test_split.py
+@@ -18,8 +18,8 @@ def test_split_semicolon():
+
+
+ def test_split_backslash():
+- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+- assert len(stmts) == 3
++ stmts = sqlparse.parse("select '\'; select '\'';")
++ assert len(stmts) == 2
+
+
+ @pytest.mark.parametrize('fn', ['function.sql',
diff --git a/debian/patches/CVE-2024-4340.patch b/debian/patches/CVE-2024-4340.patch
new file mode 100644
index 0000000..56fa237
--- /dev/null
+++ b/debian/patches/CVE-2024-4340.patch
@@ -0,0 +1,78 @@
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: Raise SQLParseError instead of RecursionError.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+Origin: https://github.com/andialbrecht/sqlparse/commit/29f2e0a6609ddc1fa248faef1bc41616043c544e
+Bug: https://github.com/advisories/GHSA-2m57-hf25-phgg
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-4340
+Bug-Debian: https://bugs.debian.org/1070148
+---
+ sqlparse/sql.py | 14 +++++++++-----
+ tests/test_regressions.py | 16 ++++++++++++++++
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index 6a32c26..ffffc77 100644
+--- a/sqlparse/sql.py
++++ b/sqlparse/sql.py
+@@ -10,6 +10,7 @@
+ import re
+
+ from sqlparse import tokens as T
++from sqlparse.exceptions import SQLParseError
+ from sqlparse.utils import imt, remove_quotes
+
+
+@@ -209,11 +210,14 @@ class TokenList(Token):
+
+ This method is recursively called for all child tokens.
+ """
+- for token in self.tokens:
+- if token.is_group:
+- yield from token.flatten()
+- else:
+- yield token
++ try:
++ for token in self.tokens:
++ if token.is_group:
++ yield from token.flatten()
++ else:
++ yield token
++ except RecursionError as err:
++ raise SQLParseError('Maximum recursion depth exceeded') from err
+
+ def get_sublists(self):
+ for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index 38d1840..29311ea 100644
+--- a/tests/test_regressions.py
++++ b/tests/test_regressions.py
+@@ -1,7 +1,10 @@
++import sys
++
+ import pytest
+
+ import sqlparse
+ from sqlparse import sql, tokens as T
++from sqlparse.exceptions import SQLParseError
+
+
+ def test_issue9():
+@@ -418,3 +421,16 @@ def test_splitting_at_and_backticks_issue588():
+ 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
+ assert len(splitted) == 2
+ assert splitted[-1] == 'grant bar to user1@`myhost`;'
++
++
++@pytest.fixture
++def limit_recursion():
++ curr_limit = sys.getrecursionlimit()
++ sys.setrecursionlimit(100)
++ yield
++ sys.setrecursionlimit(curr_limit)
++
++
++def test_max_recursion(limit_recursion):
++ with pytest.raises(SQLParseError):
++ sqlparse.parse('[' * 1000 + ']' * 1000)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9d732e6
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2023-30608.patch
+CVE-2024-4340.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..e59a419 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -2,3 +2,8 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1