Bug#1091547: marked as done (bookworm-pu: package sqlparse/0.4.2-1+deb12u1)

Debian Bug Tracking System Sat, 11 Jan 2025 03:16:38 -0800

Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jbi...@coccia.debian.org>
and subject line Close 1091547
has caused the Debian Bug report #1091547,
regarding bookworm-pu: package sqlparse/0.4.2-1+deb12u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1091547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091547
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: sqlpa...@packages.debian.org
Control: affects -1 + src:sqlparse
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]

Fix 2 no-dsa vulnerabilities: CVE-2023-30608 and CVE-2024-4340.

[ Impact ]

Users would remain vulnerable.  Furthermore the issues are fixed in
Bullseye LTS, leading to a regression when upgrading.

[ Tests ]

Both patches come with unit tests, and the package's comprehensive test
suite is run at build time.  I also manually checked the reporters' PoC
against 0.4.2-1 vs. 0.4.2-1+deb12u1.

[ Risks ]

Low: Both patches come from upstream and trivially applied to 0.4.2-1.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2023-30608: Parser contains a regular expression that is
    vulnerable to ReDOS. (Closes: #1034615)
  * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
    Service. (Closes: #1070148)
  * Adjust d/salsa-ci.yml for bookworm.

-- 
Guilhem.

diffstat for sqlparse-0.4.2 sqlparse-0.4.2

 changelog                    |   11 ++++++
 patches/CVE-2023-30608.patch |   47 +++++++++++++++++++++++++
 patches/CVE-2024-4340.patch  |   78 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 +
 salsa-ci.yml                 |    5 ++
 5 files changed, 143 insertions(+)

diff -Nru sqlparse-0.4.2/debian/changelog sqlparse-0.4.2/debian/changelog
--- sqlparse-0.4.2/debian/changelog     2021-12-01 11:42:26.000000000 +0100
+++ sqlparse-0.4.2/debian/changelog     2024-12-21 18:18:53.000000000 +0100
@@ -1,3 +1,14 @@
+sqlparse (0.4.2-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-30608: Parser contains a regular expression that is
+    vulnerable to ReDOS. (Closes: #1034615)
+  * Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
+    Service. (Closes: #1070148)
+  * Adjust d/salsa-ci.yml for bookworm.
+
+ -- Guilhem Moulin <guil...@debian.org>  Sat, 21 Dec 2024 18:18:53 +0100
+
 sqlparse (0.4.2-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch 
sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch
--- sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch  1970-01-01 
01:00:00.000000000 +0100
+++ sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch  2024-12-21 
18:18:53.000000000 +0100
@@ -0,0 +1,47 @@
+From: Andi Albrecht <albrecht.a...@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+
+Origin: 
https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
+Bug: 
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-30608
+Bug-Debian: https://bugs.debian.org/1034615
+---
+ sqlparse/keywords.py | 4 ++--
+ tests/test_split.py  | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index 6850628..4e97477 100644
+--- a/sqlparse/keywords.py
++++ b/sqlparse/keywords.py
+@@ -66,9 +66,9 @@ SQL_REGEX = {
+         (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
+          tokens.Number.Float),
+         (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+-        (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
++        (r"'(''|\\'|[^'])*'", tokens.String.Single),
+         # not a real string literal in ANSI SQL:
+-        (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
++        (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
+         (r'(""|".*?[^\\]")', tokens.String.Symbol),
+         # sqlite names can be escaped with [square brackets]. left bracket
+         # cannot be preceded by word character or a right bracket --
+diff --git a/tests/test_split.py b/tests/test_split.py
+index a9d7576..e79750e 100644
+--- a/tests/test_split.py
++++ b/tests/test_split.py
+@@ -18,8 +18,8 @@ def test_split_semicolon():
+ 
+ 
+ def test_split_backslash():
+-    stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+-    assert len(stmts) == 3
++    stmts = sqlparse.parse("select '\'; select '\'';")
++    assert len(stmts) == 2
+ 
+ 
+ @pytest.mark.parametrize('fn', ['function.sql',
diff -Nru sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch 
sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch
--- sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch   1970-01-01 
01:00:00.000000000 +0100
+++ sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch   2024-12-21 
18:18:53.000000000 +0100
@@ -0,0 +1,78 @@
+From: Andi Albrecht <albrecht.a...@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: Raise SQLParseError instead of RecursionError.
+
+Origin: 
https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+Origin: 
https://github.com/andialbrecht/sqlparse/commit/29f2e0a6609ddc1fa248faef1bc41616043c544e
+Bug: https://github.com/advisories/GHSA-2m57-hf25-phgg
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-4340
+Bug-Debian: https://bugs.debian.org/1070148
+---
+ sqlparse/sql.py           | 14 +++++++++-----
+ tests/test_regressions.py | 16 ++++++++++++++++
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index 6a32c26..ffffc77 100644
+--- a/sqlparse/sql.py
++++ b/sqlparse/sql.py
+@@ -10,6 +10,7 @@
+ import re
+ 
+ from sqlparse import tokens as T
++from sqlparse.exceptions import SQLParseError
+ from sqlparse.utils import imt, remove_quotes
+ 
+ 
+@@ -209,11 +210,14 @@ class TokenList(Token):
+ 
+         This method is recursively called for all child tokens.
+         """
+-        for token in self.tokens:
+-            if token.is_group:
+-                yield from token.flatten()
+-            else:
+-                yield token
++        try:
++            for token in self.tokens:
++                if token.is_group:
++                    yield from token.flatten()
++                else:
++                    yield token
++        except RecursionError as err:
++            raise SQLParseError('Maximum recursion depth exceeded') from err
+ 
+     def get_sublists(self):
+         for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index 38d1840..29311ea 100644
+--- a/tests/test_regressions.py
++++ b/tests/test_regressions.py
+@@ -1,7 +1,10 @@
++import sys
++
+ import pytest
+ 
+ import sqlparse
+ from sqlparse import sql, tokens as T
++from sqlparse.exceptions import SQLParseError
+ 
+ 
+ def test_issue9():
+@@ -418,3 +421,16 @@ def test_splitting_at_and_backticks_issue588():
+         'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
+     assert len(splitted) == 2
+     assert splitted[-1] == 'grant bar to user1@`myhost`;'
++
++
++@pytest.fixture
++def limit_recursion():
++    curr_limit = sys.getrecursionlimit()
++    sys.setrecursionlimit(100)
++    yield
++    sys.setrecursionlimit(curr_limit)
++
++
++def test_max_recursion(limit_recursion):
++    with pytest.raises(SQLParseError):
++        sqlparse.parse('[' * 1000 + ']' * 1000)
diff -Nru sqlparse-0.4.2/debian/patches/series 
sqlparse-0.4.2/debian/patches/series
--- sqlparse-0.4.2/debian/patches/series        1970-01-01 01:00:00.000000000 
+0100
+++ sqlparse-0.4.2/debian/patches/series        2024-12-21 18:18:53.000000000 
+0100
@@ -0,0 +1,2 @@
+CVE-2023-30608.patch
+CVE-2024-4340.patch
diff -Nru sqlparse-0.4.2/debian/salsa-ci.yml sqlparse-0.4.2/debian/salsa-ci.yml
--- sqlparse-0.4.2/debian/salsa-ci.yml  2021-01-23 15:15:30.000000000 +0100
+++ sqlparse-0.4.2/debian/salsa-ci.yml  2024-12-21 18:18:53.000000000 +0100
@@ -2,3 +2,8 @@
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.

--- End Message ---

Bug#1091547: marked as done (bookworm-pu: package sqlparse/0.4.2-1+deb12u1)

Reply via email to