summaryrefslogtreecommitdiff
diff options
authorLeonidas Da Silva Barbosa <leo.barbosa@canonical.com>2023-05-04 09:30:46 -0300
committergit-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com>2023-05-10 11:42:03 +0000
commit45707b8f00e0b8ab647b73f8fd6ae44cac10d20b (patch)
treeffec5fb7e398a0a5a06ff7d6f49a6bf94d9d8a81
parente8c147c8386ac292a58d16dd314631b293f33c8c (diff)
Imported using git-ubuntu import.
Notes
Notes: * SECURITY UPDATE: ReDoS - debian/patches/CVE-2023-30608.patch: remove unnecessary parts in regex for bad escaping in sqlparse/keywords.py. - CVE-2023-30608
-rw-r--r--debian/changelog9
-rw-r--r--debian/control3
-rw-r--r--debian/patches/CVE-2023-30608.patch38
-rw-r--r--debian/patches/series1
4 files changed, 50 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 78ed9c2..1bee499 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+sqlparse (0.4.2-1ubuntu0.23.04.1) lunar-security; urgency=medium
+
+ * SECURITY UPDATE: ReDoS
+ - debian/patches/CVE-2023-30608.patch: remove unnecessary parts
+ in regex for bad escaping in sqlparse/keywords.py.
+ - CVE-2023-30608
+
+ -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 04 May 2023 09:30:46 -0300
+
sqlparse (0.4.2-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/control b/debian/control
index d47109d..f1aa909 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,6 @@
Source: sqlparse
-Maintainer: Andrii Senkovych <andrii@senkovych.com>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Andrii Senkovych <andrii@senkovych.com>
Uploaders: Debian Python Team <team+python@tracker.debian.org>
Section: python
Priority: optional
diff --git a/debian/patches/CVE-2023-30608.patch b/debian/patches/CVE-2023-30608.patch
new file mode 100644
index 0000000..1809469
--- /dev/null
+++ b/debian/patches/CVE-2023-30608.patch
@@ -0,0 +1,38 @@
+From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index 6850628..4e97477 100644
+--- a/sqlparse/keywords.py
++++ b/sqlparse/keywords.py
+@@ -66,9 +66,9 @@ SQL_REGEX = {
+ (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
+ tokens.Number.Float),
+ (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
++ (r"'(''|\\'|[^'])*'", tokens.String.Single),
+ # not a real string literal in ANSI SQL:
+- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
+ (r'(""|".*?[^\\]")', tokens.String.Symbol),
+ # sqlite names can be escaped with [square brackets]. left bracket
+ # cannot be preceded by word character or a right bracket --
+diff --git a/tests/test_split.py b/tests/test_split.py
+index a9d7576..e79750e 100644
+--- a/tests/test_split.py
++++ b/tests/test_split.py
+@@ -18,8 +18,8 @@ def test_split_semicolon():
+
+
+ def test_split_backslash():
+- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+- assert len(stmts) == 3
++ stmts = sqlparse.parse("select '\'; select '\'';")
++ assert len(stmts) == 2
+
+
+ @pytest.mark.parametrize('fn', ['function.sql',
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..844c553
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-30608.patch