Debian Bug report logs -
#1041428
sqlfluff: CVE-2023-36830
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1041428; Package src:sqlfluff.
(Tue, 18 Jul 2023 18:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Tue, 18 Jul 2023 18:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlfluff
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for sqlfluff.
CVE-2023-36830[0]:
| SQLFluff is a SQL linter. Prior to version 2.1.2, in environments
| where untrusted users have access to the config files, there is a
| potential security vulnerability where those users could use the
| `library_path` config value to allow arbitrary python code to be
| executed via macros. For many users who use SQLFluff in the context
| of an environment where all users already have fairly escalated
| privileges, this may not be an issue - however in larger user bases,
| or where SQLFluff is bundled into another tool where developers
| still wish to give users access to supply their on rule
| configuration, this may be an issue. The 2.1.2 release offers the
| ability for the `library_path` argument to be overwritten on the
| command line by using the `--library-path` option. This overrides
| any values provided in the config files and effectively prevents
| this route of attack for users which have access to the config file,
| but not to the scripts which call the SQLFluff CLI directly. A
| similar option is provided for the Python API, where users also have
| a greater ability to further customise or override configuration as
| necessary. Unless `library_path` is explicitly required, SQLFluff
| maintainers recommend using the option `--library-path none` when
| invoking SQLFluff which will disable the `library-path` option
| entirely regardless of the options set in the configuration file or
| via inline config directives. As a workaround, limiting access to -
| or otherwise validating configuration files before they are ingested
| by SQLFluff will provides a similar effect and does not require
| upgrade.
https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-jqhc-m2j3-fjrx
https://github.com/sqlfluff/sqlfluff/pull/4925
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-36830
https://www.cve.org/CVERecord?id=CVE-2023-36830
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Jul 2023 20:45:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jul 19 11:55:50 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon