summaryrefslogtreecommitdiff
diff options
authorLeonidas Da Silva Barbosa <leo.barbosa@canonical.com>2023-05-04 10:38:26 -0300
committergit-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com>2023-05-10 11:42:08 +0000
commit0fd702b80d6d553e53ec1bbdc21f4907adaeae03 (patch)
treebfd2d6dd7eb864ee1d7064d1f723b0df9d87228a
parent0abadd07d7b733e1cc9a9079265df5e95a57a461 (diff)
Imported using git-ubuntu import.
Notes
Notes: * SECURITY UPDATE: ReDoS - debian/patches/CVE-2023-30608.patch: remove unnecessary parts in regex for bad escaping in sqlparse/keywords.py. - CVE-2023-30608
-rw-r--r--debian/changelog9
-rw-r--r--debian/control3
-rw-r--r--debian/patches/CVE-2023-30608.patch37
-rw-r--r--debian/patches/series1
4 files changed, 49 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 6af0693..33b4e79 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+sqlparse (0.2.4-0.1ubuntu0.1) bionic-security; urgency=medium
+
+ * SECURITY UPDATE: ReDoS
+ - debian/patches/CVE-2023-30608.patch: remove unnecessary parts
+ in regex for bad escaping in sqlparse/keywords.py.
+ - CVE-2023-30608
+
+ -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 04 May 2023 10:38:26 -0300
+
sqlparse (0.2.4-0.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/control b/debian/control
index bbd0769..81eb313 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
Source: sqlparse
Section: python
Priority: optional
-Maintainer: Andriy Senkovych <jolly_roger@itblog.org.ua>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Andriy Senkovych <jolly_roger@itblog.org.ua>
Uploaders: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Build-Depends: debhelper (>= 9), dh-python,
python-all (>= 2.6.5-13~), python3-all (>= 3.2),
diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch
new file mode 100644
index 0000000..8122aa6
--- /dev/null
+++ b/debian/patches/CVE-2023-30608.patch
@@ -0,0 +1,37 @@
+Backported of:
+
+From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index a1242ab..6c0ae12 100644
+--- a/sqlparse/keywords.py
++++ b/sqlparse/keywords.py
+@@ -62,7 +62,7 @@ SQL_REGEX = {
+ (r'-?\d*(\.\d+)?E-?\d+', tokens.Number.Float),
+ (r'-?(\d+(\.\d*)|\.\d+)', tokens.Number.Float),
+ (r'-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
++ (r"'(''|\\'|[^'])*'", tokens.String.Single),
+ # not a real string literal in ANSI SQL:
+ (r'(""|".*?[^\\]")', tokens.String.Symbol),
+ # sqlite names can be escaped with [square brackets]. left bracket
+diff --git a/tests/test_split.py b/tests/test_split.py
+index 5d846bf..470eb81 100644
+--- a/tests/test_split.py
++++ b/tests/test_split.py
+@@ -20,8 +20,8 @@ def test_split_semicolon():
+
+
+ def test_split_backslash():
+- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+- assert len(stmts) == 3
++ stmts = sqlparse.parse("select '\'; select '\'';")
++ assert len(stmts) == 2
+
+
+ @pytest.mark.parametrize('fn', ['function.sql',
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..844c553
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-30608.patch