Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678480 (CVE-2019-7164)

Summary: <dev-python/sqlalchemy-1.3.3: SQL Injection when the order_by parameter can be controlled (CVE-2019-7164)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ia64, python, vdupras
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1678520
Whiteboard: B3 [stable]
Package list:
dev-python/sqlalchemy-1.3.3
Runtime testing required: ---
Bug Depends on: 670896    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2019-02-21 09:04:35 UTC
From ${URL} :

A vulnerability was found in SQLAlchemy 1.2.17. An SQL Injection when the order_by parameter can be controlled.

Upstream issue:

https://github.com/sqlalchemy/sqlalchemy/issues/4481

Upstream patch:

https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-29 12:18:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74d676f319dab3f9e24d291d20906ca90b83196a

commit 74d676f319dab3f9e24d291d20906ca90b83196a
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-04-29 12:12:54 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-04-29 12:13:49 +0000

    dev-python/sqlalchemy: bump to 1.3.3
    
    Bug: https://bugs.gentoo.org/678480
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 dev-python/sqlalchemy/Manifest                |  1 +
 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 63 +++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
Comment 2 Virgil Dupras gentoo-dev 2019-04-29 12:21:58 UTC
Issue 4481 was addressed in upstream's 1.3 release.

Arches, please stabilize. Thanks!
Comment 3 Sergei Trofimovich gentoo-dev 2019-04-29 20:17:14 UTC
ppc stable
Comment 4 Sergei Trofimovich gentoo-dev 2019-04-29 20:18:21 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-05-01 07:51:21 UTC
amd64 stable
Comment 6 Rolf Eike Beer 2019-05-02 21:50:01 UTC
sparc stable
Comment 7 Larry the Git Cow gentoo-dev 2019-05-06 18:04:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06272e72a051f00d166ee600a04603b86a39ec9e

commit 06272e72a051f00d166ee600a04603b86a39ec9e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-06 18:03:49 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-06 18:04:08 +0000

    dev-python/sqlalchemy-1.3.3-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/678480
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Markus Meier gentoo-dev 2019-05-09 04:44:54 UTC
arm stable
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-05-10 03:13:54 UTC
arm64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2019-05-13 00:42:53 UTC
x86 stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-05-26 07:08:01 UTC
hppa stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-26 09:47:08 UTC
s390 stable