diff -Nru sqlparse-0.4.2/debian/changelog sqlparse-0.4.2/debian/changelog --- sqlparse-0.4.2/debian/changelog 2023-05-04 12:58:06.000000000 +0000 +++ sqlparse-0.4.2/debian/changelog 2024-05-08 13:18:32.000000000 +0000 @@ -1,3 +1,12 @@ +sqlparse (0.4.2-1ubuntu0.22.04.2) jammy-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2024-4340.patch: raise SQLParseError instead + of RecursionError in sqlparse/sql.py, tests/test_regressions.py. + - CVE-2024-4340 + + -- Leonidas Da Silva Barbosa Wed, 08 May 2024 10:18:32 -0300 + sqlparse (0.4.2-1ubuntu0.22.04.1) jammy-security; urgency=medium * SECURITY UPDATE: ReDoS diff -Nru sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch --- sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlparse-0.4.2/debian/patches/CVE-2024-4340.patch 2024-05-08 13:18:12.000000000 +0000 @@ -0,0 +1,69 @@ +Backported of: + +From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: [PATCH] Raise SQLParseError instead of RecursionError. +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 6a32c26..ffffc77 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ def flatten(self): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index 38d1840..cd162a3 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,7 +1,9 @@ + import pytest ++import sys + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -418,3 +420,16 @@ def test_splitting_at_and_backticks_issue588(): + 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;') + assert len(splitted) == 2 + assert splitted[-1] == 'grant bar to user1@`myhost`;' ++ ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(70) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 100 + ']' * 100) diff -Nru sqlparse-0.4.2/debian/patches/series sqlparse-0.4.2/debian/patches/series --- sqlparse-0.4.2/debian/patches/series 2023-05-04 12:58:00.000000000 +0000 +++ sqlparse-0.4.2/debian/patches/series 2024-05-08 13:18:12.000000000 +0000 @@ -1 +1,2 @@ CVE-2023-30608.patch +CVE-2024-4340.patch