diff options
| author | Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> | 2023-05-04 10:38:26 -0300 |
|---|---|---|
| committer | git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> | 2023-05-10 11:42:08 +0000 |
| commit | 0fd702b80d6d553e53ec1bbdc21f4907adaeae03 (patch) | |
| tree | bfd2d6dd7eb864ee1d7064d1f723b0df9d87228a | |
| parent | 0abadd07d7b733e1cc9a9079265df5e95a57a461 (diff) | |
0.2.4-0.1ubuntu0.1 (patches unapplied)import/0.2.4-0.1ubuntu0.1ubuntu/bionic-updatesubuntu/bionic-securityubuntu/bionic-devel
Imported using git-ubuntu import.
Notes
Notes:
* SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-30608.patch: remove unnecessary parts
in regex for bad escaping in sqlparse/keywords.py.
- CVE-2023-30608
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rw-r--r-- | debian/control | 3 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-30608.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
4 files changed, 49 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 6af0693..33b4e79 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +sqlparse (0.2.4-0.1ubuntu0.1) bionic-security; urgency=medium + + * SECURITY UPDATE: ReDoS + - debian/patches/CVE-2023-30608.patch: remove unnecessary parts + in regex for bad escaping in sqlparse/keywords.py. + - CVE-2023-30608 + + -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 04 May 2023 10:38:26 -0300 + sqlparse (0.2.4-0.1) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/control b/debian/control index bbd0769..81eb313 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,8 @@ Source: sqlparse Section: python Priority: optional -Maintainer: Andriy Senkovych <jolly_roger@itblog.org.ua> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Andriy Senkovych <jolly_roger@itblog.org.ua> Uploaders: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Build-Depends: debhelper (>= 9), dh-python, python-all (>= 2.6.5-13~), python3-all (>= 3.2), diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch new file mode 100644 index 0000000..8122aa6 --- /dev/null +++ b/debian/patches/CVE-2023-30608.patch @@ -0,0 +1,37 @@ +Backported of: + +From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. +diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py +index a1242ab..6c0ae12 100644 +--- a/sqlparse/keywords.py ++++ b/sqlparse/keywords.py +@@ -62,7 +62,7 @@ SQL_REGEX = { + (r'-?\d*(\.\d+)?E-?\d+', tokens.Number.Float), + (r'-?(\d+(\.\d*)|\.\d+)', tokens.Number.Float), + (r'-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket +diff --git a/tests/test_split.py b/tests/test_split.py +index 5d846bf..470eb81 100644 +--- a/tests/test_split.py ++++ b/tests/test_split.py +@@ -20,8 +20,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..844c553 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-30608.patch |
