Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 812512

Summary: <dev-python/sqlparse-0.4.2: ReDOS in 'strip comments' filter
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 812518    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-11 07:06:52 UTC 
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-11 16:28:26 UTC 
Thanks!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-12 07:39:33 UTC 
cleanup done