diff options
author | Narpat Mali <narpat.mali@windriver.com> | 2023-05-31 15:23:13 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-06-17 13:50:19 -0400 |
commit | 420acd8735dd5d3bd0751928b65b87b94ede2b0c (patch) | |
tree | b9ffd4bc3bbf0f629e868ab2a4f935e6b379992d /meta-python/recipes-devtools | |
parent | 9ea78f00a460d2c2f6e1cd49121e5e41eb2c68a4 (diff) | |
download | meta-openembedded-contrib-420acd8735dd5d3bd0751928b65b87b94ede2b0c.tar.gz |
python3-sqlparse: fix for CVE-2023-30608
sqlparse is a non-validating SQL parser module for Python. In affected
versions the SQL parser contains a regular expression that is vulnerable
to ReDoS (Regular Expression Denial of Service). This issue was introduced
by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS).
This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users
are advised to upgrade. There are no known workarounds for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools')
-rw-r--r-- | meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch | 75 | ||||
-rw-r--r-- | meta-python/recipes-devtools/python/python3-sqlparse_0.4.2.bb | 1 |
2 files changed, 76 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch b/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch new file mode 100644 index 0000000000..41dbf088e1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch @@ -0,0 +1,75 @@ +From fa1cc25e1967228e5d47b9ddb626cc82dba92d7e Mon Sep 17 00:00:00 2001 +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Wed, 31 May 2023 12:29:07 +0000 +Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. + +CVE: CVE-2023-30608 + +Upstream-Status: Backport [https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGELOG | 15 +++++++++++++++ + sqlparse/keywords.py | 4 ++-- + tests/test_split.py | 4 ++-- + 3 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 65e03fc..a584003 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,18 @@ ++Backport CVE-2023-30608 Fix ++--------------------------- ++ ++Notable Changes ++ ++* IMPORTANT: This release fixes a security vulnerability in the ++ parser where a regular expression vulnerable to ReDOS (Regular ++ Expression Denial of Service) was used. See the security advisory ++ for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 ++ The vulnerability was discovered by @erik-krogh from GitHub ++ Security Lab (GHSL). Thanks for reporting! ++ ++* Fix regular expressions for string parsing. ++ ++ + Release 0.4.2 (Sep 10, 2021) + ---------------------------- + +diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py +index 6850628..4e97477 100644 +--- a/sqlparse/keywords.py ++++ b/sqlparse/keywords.py +@@ -66,9 +66,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +diff --git a/tests/test_split.py b/tests/test_split.py +index a9d7576..e79750e 100644 +--- a/tests/test_split.py ++++ b/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.2.bb b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.2.bb index 0980ff9c24..b5cc41e730 100644 --- a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.2.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2b136f573f5386001ea3b7b9016222fc" SRC_URI += "file://0001-sqlparse-change-shebang-to-python3.patch \ file://run-ptest \ + file://CVE-2023-30608.patch \ " SRC_URI[sha256sum] = "0c00730c74263a94e5a9919ade150dfc3b19c574389985446148402998287dae" |