diff options
| author | Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> | 2023-05-04 09:30:46 -0300 |
|---|---|---|
| committer | git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> | 2023-05-10 11:42:03 +0000 |
| commit | 45707b8f00e0b8ab647b73f8fd6ae44cac10d20b (patch) | |
| tree | ffec5fb7e398a0a5a06ff7d6f49a6bf94d9d8a81 | |
| parent | e8c147c8386ac292a58d16dd314631b293f33c8c (diff) | |
0.4.2-1ubuntu0.23.04.1 (patches unapplied)import/0.4.2-1ubuntu0.23.04.1ubuntu/lunar-updatesubuntu/lunar-securityubuntu/lunar-devel
Imported using git-ubuntu import.
Notes
Notes:
* SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-30608.patch: remove unnecessary parts
in regex for bad escaping in sqlparse/keywords.py.
- CVE-2023-30608
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rw-r--r-- | debian/control | 3 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-30608.patch | 38 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
4 files changed, 50 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 78ed9c2..1bee499 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +sqlparse (0.4.2-1ubuntu0.23.04.1) lunar-security; urgency=medium + + * SECURITY UPDATE: ReDoS + - debian/patches/CVE-2023-30608.patch: remove unnecessary parts + in regex for bad escaping in sqlparse/keywords.py. + - CVE-2023-30608 + + -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 04 May 2023 09:30:46 -0300 + sqlparse (0.4.2-1) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index d47109d..f1aa909 100644 --- a/debian/control +++ b/debian/control @@ -1,5 +1,6 @@ Source: sqlparse -Maintainer: Andrii Senkovych <andrii@senkovych.com> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Andrii Senkovych <andrii@senkovych.com> Uploaders: Debian Python Team <team+python@tracker.debian.org> Section: python Priority: optional diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch new file mode 100644 index 0000000..1809469 --- /dev/null +++ b/debian/patches/CVE-2023-30608.patch @@ -0,0 +1,38 @@ +From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. +diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py +index 6850628..4e97477 100644 +--- a/sqlparse/keywords.py ++++ b/sqlparse/keywords.py +@@ -66,9 +66,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +diff --git a/tests/test_split.py b/tests/test_split.py +index a9d7576..e79750e 100644 +--- a/tests/test_split.py ++++ b/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..844c553 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-30608.patch |
