[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106756: bookworm-pu: package webpy/1:0.62-4+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Python Team <team+python@tracker.debian.org>

  * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for webpy-0.62 webpy-0.62

 changelog                                    |    7 ++++
 patches/0001-Address-CVE-2025-3818-807.patch |   43 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 51 insertions(+)

diff -Nru webpy-0.62/debian/changelog webpy-0.62/debian/changelog
--- webpy-0.62/debian/changelog	2023-02-26 00:14:11.000000000 +0200
+++ webpy-0.62/debian/changelog	2025-05-28 20:54:20.000000000 +0300
@@ -1,3 +1,10 @@
+webpy (1:0.62-4+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 28 May 2025 20:54:20 +0300
+
 webpy (1:0.62-4) unstable; urgency=medium
 
   * Fix debian/watch
diff -Nru webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch
--- webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	1970-01-01 02:00:00.000000000 +0200
+++ webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	2025-05-28 20:39:22.000000000 +0300
@@ -0,0 +1,43 @@
+From fc5451478a5ae648a29738012094aeeb77e6c5b8 Mon Sep 17 00:00:00 2001
+From: Mek <michael.karpeles@gmail.com>
+Date: Wed, 7 May 2025 15:14:44 -0400
+Subject: Address CVE-2025-3818 (#807)
+
+* Address CVE-2025-3818
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+
+---------
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+---
+ web/db.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/web/db.py b/web/db.py
+index 4559994..7e12d7f 100644
+--- a/web/db.py
++++ b/web/db.py
+@@ -1217,10 +1217,18 @@ class PostgresDB(DB):
+                 seqname = None
+ 
+         if seqname:
+-            query += "; SELECT currval('%s')" % seqname
++            query += self.get_sequence_query(seqname)
+ 
+         return query
+ 
++    def get_sequence_query(self, seqname):
++        import re
++        # Ensure the sequence name is valid
++        if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
++            raise ValueError(f"Invalid sequence name: {seqname}")
++        return SQLQuery("; SELECT currval(%s)", seqname)
++
++
+     def _get_all_sequences(self):
+         """Query postgres to find names of all sequences used in this database."""
+         if self._sequences is None:
+-- 
+2.30.2
+
diff -Nru webpy-0.62/debian/patches/series webpy-0.62/debian/patches/series
--- webpy-0.62/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ webpy-0.62/debian/patches/series	2025-05-28 20:54:20.000000000 +0300
@@ -0,0 +1 @@
+0001-Address-CVE-2025-3818-807.patch
Reply to: