Bug#1106756: marked as done (bookworm-pu: package webpy/1:0.62-4+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1106756,
regarding bookworm-pu: package webpy/1:0.62-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106756
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package webpy/1:0.62-4+deb12u1
• From: Adrian Bunk <bunk@debian.org>
• Date: Thu, 29 May 2025 14:25:39 +0300
• Message-id: <174851793959.3408981.14291568165247894168.reportbug@localhost>

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Python Team <team+python@tracker.debian.org>

  * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for webpy-0.62 webpy-0.62

 changelog                                    |    7 ++++
 patches/0001-Address-CVE-2025-3818-807.patch |   43 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 51 insertions(+)

diff -Nru webpy-0.62/debian/changelog webpy-0.62/debian/changelog
--- webpy-0.62/debian/changelog	2023-02-26 00:14:11.000000000 +0200
+++ webpy-0.62/debian/changelog	2025-05-28 20:54:20.000000000 +0300
@@ -1,3 +1,10 @@
+webpy (1:0.62-4+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 28 May 2025 20:54:20 +0300
+
 webpy (1:0.62-4) unstable; urgency=medium
 
   * Fix debian/watch
diff -Nru webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch
--- webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	1970-01-01 02:00:00.000000000 +0200
+++ webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	2025-05-28 20:39:22.000000000 +0300
@@ -0,0 +1,43 @@
+From fc5451478a5ae648a29738012094aeeb77e6c5b8 Mon Sep 17 00:00:00 2001
+From: Mek <michael.karpeles@gmail.com>
+Date: Wed, 7 May 2025 15:14:44 -0400
+Subject: Address CVE-2025-3818 (#807)
+
+* Address CVE-2025-3818
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+
+---------
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+---
+ web/db.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/web/db.py b/web/db.py
+index 4559994..7e12d7f 100644
+--- a/web/db.py
++++ b/web/db.py
+@@ -1217,10 +1217,18 @@ class PostgresDB(DB):
+                 seqname = None
+ 
+         if seqname:
+-            query += "; SELECT currval('%s')" % seqname
++            query += self.get_sequence_query(seqname)
+ 
+         return query
+ 
++    def get_sequence_query(self, seqname):
++        import re
++        # Ensure the sequence name is valid
++        if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
++            raise ValueError(f"Invalid sequence name: {seqname}")
++        return SQLQuery("; SELECT currval(%s)", seqname)
++
++
+     def _get_all_sequences(self):
+         """Query postgres to find names of all sequences used in this database."""
+         if self._sequences is None:
+-- 
+2.30.2
+
diff -Nru webpy-0.62/debian/patches/series webpy-0.62/debian/patches/series
--- webpy-0.62/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ webpy-0.62/debian/patches/series	2025-05-28 20:54:20.000000000 +0300
@@ -0,0 +1 @@
+0001-Address-CVE-2025-3818-807.patch

--- End Message ---

--- Begin Message ---

• To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 12.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Sep 2025 12:14:50 +0100
• Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---