Package: release.debian.org Severity: normal Tags: bookworm moreinfo User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], Debian Python Team <[email protected]>
* CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780) Tagged moreinfo, as question to the security team whether they want this in pu or as DSA.
diffstat for webpy-0.62 webpy-0.62 changelog | 7 ++++ patches/0001-Address-CVE-2025-3818-807.patch | 43 +++++++++++++++++++++++++++ patches/series | 1 3 files changed, 51 insertions(+) diff -Nru webpy-0.62/debian/changelog webpy-0.62/debian/changelog --- webpy-0.62/debian/changelog 2023-02-26 00:14:11.000000000 +0200 +++ webpy-0.62/debian/changelog 2025-05-28 20:54:20.000000000 +0300 @@ -1,3 +1,10 @@ +webpy (1:0.62-4+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780) + + -- Adrian Bunk <[email protected]> Wed, 28 May 2025 20:54:20 +0300 + webpy (1:0.62-4) unstable; urgency=medium * Fix debian/watch diff -Nru webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch --- webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch 1970-01-01 02:00:00.000000000 +0200 +++ webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch 2025-05-28 20:39:22.000000000 +0300 @@ -0,0 +1,43 @@ +From fc5451478a5ae648a29738012094aeeb77e6c5b8 Mon Sep 17 00:00:00 2001 +From: Mek <[email protected]> +Date: Wed, 7 May 2025 15:14:44 -0400 +Subject: Address CVE-2025-3818 (#807) + +* Address CVE-2025-3818 + +Co-authored-by: Scott Barnes <[email protected]> + +--------- + +Co-authored-by: Scott Barnes <[email protected]> +--- + web/db.py | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/web/db.py b/web/db.py +index 4559994..7e12d7f 100644 +--- a/web/db.py ++++ b/web/db.py +@@ -1217,10 +1217,18 @@ class PostgresDB(DB): + seqname = None + + if seqname: +- query += "; SELECT currval('%s')" % seqname ++ query += self.get_sequence_query(seqname) + + return query + ++ def get_sequence_query(self, seqname): ++ import re ++ # Ensure the sequence name is valid ++ if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname): ++ raise ValueError(f"Invalid sequence name: {seqname}") ++ return SQLQuery("; SELECT currval(%s)", seqname) ++ ++ + def _get_all_sequences(self): + """Query postgres to find names of all sequences used in this database.""" + if self._sequences is None: +-- +2.30.2 + diff -Nru webpy-0.62/debian/patches/series webpy-0.62/debian/patches/series --- webpy-0.62/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ webpy-0.62/debian/patches/series 2025-05-28 20:54:20.000000000 +0300 @@ -0,0 +1 @@ +0001-Address-CVE-2025-3818-807.patch
