Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sqlpa...@packages.debian.org Control: affects -1 + src:sqlparse User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
Fix 2 no-dsa vulnerabilities: CVE-2023-30608 and CVE-2024-4340.
[ Impact ]
Users would remain vulnerable. Furthermore the issues are fixed in
Bullseye LTS, leading to a regression when upgrading.
[ Tests ]
Both patches come with unit tests, and the package's comprehensive test
suite is run at build time. I also manually checked the reporters' PoC
against 0.4.2-1 vs. 0.4.2-1+deb12u1.
[ Risks ]
Low: Both patches come from upstream and trivially applied to 0.4.2-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2023-30608: Parser contains a regular expression that is
vulnerable to ReDOS. (Closes: #1034615)
* Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
Service. (Closes: #1070148)
* Adjust d/salsa-ci.yml for bookworm.
--
Guilhem.
diffstat for sqlparse-0.4.2 sqlparse-0.4.2 changelog | 11 ++++++ patches/CVE-2023-30608.patch | 47 +++++++++++++++++++++++++ patches/CVE-2024-4340.patch | 78 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 + salsa-ci.yml | 5 ++ 5 files changed, 143 insertions(+) diff -Nru sqlparse-0.4.2/debian/changelog sqlparse-0.4.2/debian/changelog --- sqlparse-0.4.2/debian/changelog 2021-12-01 11:42:26.000000000 +0100 +++ sqlparse-0.4.2/debian/changelog 2024-12-21 18:18:53.000000000 +0100 @@ -1,3 +1,14 @@ +sqlparse (0.4.2-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2023-30608: Parser contains a regular expression that is + vulnerable to ReDOS. (Closes: #1034615) + * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of + Service. (Closes: #1070148) + * Adjust d/salsa-ci.yml for bookworm. + + -- Guilhem Moulin <guil...@debian.org> Sat, 21 Dec 2024 18:18:53 +0100 + sqlparse (0.4.2-1) unstable; urgency=medium * Team upload. diff -Nru sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch --- sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch 1970-01-01 01:00:00.000000000 +0100 +++ sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch 2024-12-21 18:18:53.000000000 +0100 @@ -0,0 +1,47 @@ +From: Andi Albrecht <albrecht.a...@gmail.com> +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. + +Origin: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb +Bug: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-30608 +Bug-Debian: https://bugs.debian.org/1034615 +--- + sqlparse/keywords.py | 4 ++-- + tests/test_split.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py +index 6850628..4e97477 100644 +--- a/sqlparse/keywords.py ++++ b/sqlparse/keywords.py +@@ -66,9 +66,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +diff --git a/tests/test_split.py b/tests/test_split.py +index a9d7576..e79750e 100644 +--- a/tests/test_split.py ++++ b/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff -Nru sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch --- sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch 1970-01-01 01:00:00.000000000 +0100 +++ sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch 2024-12-21 18:18:53.000000000 +0100 @@ -0,0 +1,78 @@ +From: Andi Albrecht <albrecht.a...@gmail.com> +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: Raise SQLParseError instead of RecursionError. + +Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 +Origin: https://github.com/andialbrecht/sqlparse/commit/29f2e0a6609ddc1fa248faef1bc41616043c544e +Bug: https://github.com/advisories/GHSA-2m57-hf25-phgg +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-4340 +Bug-Debian: https://bugs.debian.org/1070148 +--- + sqlparse/sql.py | 14 +++++++++----- + tests/test_regressions.py | 16 ++++++++++++++++ + 2 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 6a32c26..ffffc77 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index 38d1840..29311ea 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,7 +1,10 @@ ++import sys ++ + import pytest + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -418,3 +421,16 @@ def test_splitting_at_and_backticks_issue588(): + 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;') + assert len(splitted) == 2 + assert splitted[-1] == 'grant bar to user1@`myhost`;' ++ ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(100) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 1000 + ']' * 1000) diff -Nru sqlparse-0.4.2/debian/patches/series sqlparse-0.4.2/debian/patches/series --- sqlparse-0.4.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ sqlparse-0.4.2/debian/patches/series 2024-12-21 18:18:53.000000000 +0100 @@ -0,0 +1,2 @@ +CVE-2023-30608.patch +CVE-2024-4340.patch diff -Nru sqlparse-0.4.2/debian/salsa-ci.yml sqlparse-0.4.2/debian/salsa-ci.yml --- sqlparse-0.4.2/debian/salsa-ci.yml 2021-01-23 15:15:30.000000000 +0100 +++ sqlparse-0.4.2/debian/salsa-ci.yml 2024-12-21 18:18:53.000000000 +0100 @@ -2,3 +2,8 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1
signature.asc
Description: PGP signature
