Bug 678480 (CVE-2019-7164)

Summary:	<dev-python/sqlalchemy-1.3.3: SQL Injection when the order_by parameter can be controlled (CVE-2019-7164)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mgorny, python, vdupras
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1678520
Whiteboard:	B3 [noglsa cve]
Package list:	dev-python/sqlalchemy-1.3.3	Runtime testing required:	---
Bug Depends on:	670896
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2019-02-21 09:04:35 UTC

From ${URL} :

A vulnerability was found in SQLAlchemy 1.2.17. An SQL Injection when the order_by parameter can be controlled.

Upstream issue:

https://github.com/sqlalchemy/sqlalchemy/issues/4481

Upstream patch:

https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Larry the Git Cow gentoo-dev

2019-04-29 12:18:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74d676f319dab3f9e24d291d20906ca90b83196a

commit 74d676f319dab3f9e24d291d20906ca90b83196a
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-04-29 12:12:54 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-04-29 12:13:49 +0000

    dev-python/sqlalchemy: bump to 1.3.3
    
    Bug: https://bugs.gentoo.org/678480
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 dev-python/sqlalchemy/Manifest                |  1 +
 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 63 +++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)

Comment 2 Virgil Dupras (RETIRED) gentoo-dev

2019-04-29 12:21:58 UTC

Issue 4481 was addressed in upstream's 1.3 release.

Arches, please stabilize. Thanks!

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-29 20:17:14 UTC

ppc stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-29 20:18:21 UTC

ppc64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-05-01 07:51:21 UTC

amd64 stable

Comment 6 Rolf Eike Beer archtester

2019-05-02 21:50:01 UTC

sparc stable

Comment 7 Larry the Git Cow gentoo-dev

2019-05-06 18:04:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06272e72a051f00d166ee600a04603b86a39ec9e

commit 06272e72a051f00d166ee600a04603b86a39ec9e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-06 18:03:49 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-06 18:04:08 +0000

    dev-python/sqlalchemy-1.3.3-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/678480
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Markus Meier gentoo-dev

2019-05-09 04:44:54 UTC

arm stable

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2019-05-10 03:13:54 UTC

arm64 stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-13 00:42:53 UTC

x86 stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-26 07:08:01 UTC

hppa stable

Comment 12 Mikle Kolyada (RETIRED) archtester

2019-05-26 09:47:08 UTC

s390 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2020-01-20 23:24:33 UTC

ia64 stable

Comment 14 Michał Górny archtester

2020-03-29 09:18:09 UTC

Cleanup done.

Comment 15 NATTkA bot gentoo-dev

2020-04-06 15:16:15 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 16 Yury German Gentoo Infrastructure

2020-04-16 07:04:24 UTC

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].