Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)

Related Vulnerabilities: CVE-2019-7164   CVE-2019-7548  

Source

Debian Bug report logs - #922669
sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)

version graph

Package: src:sqlalchemy; Maintainer for src:sqlalchemy is Piotr Ożarowski <piotr@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 Feb 2019 06:51:02 UTC

Severity: grave

Tags: security, upstream

Found in versions sqlalchemy/1.2.15+ds1-1, sqlalchemy/1.2.18+ds1

Fixed in versions sqlalchemy/1.3.0~b3+ds1-1, sqlalchemy/1.2.18+ds1-2

Done: Thomas Goirand <zigo@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Tue, 19 Feb 2019 06:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>. (Tue, 19 Feb 2019 06:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sqlalchemy: CVE-2019-7164 CVE-2019-7548
Date: Tue, 19 Feb 2019 07:48:17 +0100
Source: sqlalchemy
Version: 1.2.15+ds1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerabilities were published for sqlalchemy.

CVE-2019-7164[0]:
| SQL Injection when the order_by parameter can be controlled

CVE-2019-7548[1]:
| SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be
| controlled.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7164
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164
[1] https://security-tracker.debian.org/tracker/CVE-2019-7548
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as fixed in versions sqlalchemy/1.3.0~b3+ds1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 25 Feb 2019 08:03:06 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Mon, 11 Mar 2019 19:39:05 GMT) (full text, mbox, link).

Changed Bug title to 'sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)' from 'sqlalchemy: CVE-2019-7164 CVE-2019-7548'. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Sun, 07 Apr 2019 15:21:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, rvandegrift@debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Mon, 06 May 2019 03:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ross Vandegrift <rvandegrift@debian.org>:
Extra info received and forwarded to list. Copy sent to rvandegrift@debian.org, Piotr Ożarowski <piotr@debian.org>. (Mon, 06 May 2019 03:12:03 GMT) (full text, mbox, link).

Message #16 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Ross Vandegrift <rvandegrift@debian.org>
To: Debian Bug Tracking System <922669@bugs.debian.org>
Subject: Re: sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)
Date: Sun, 05 May 2019 20:09:17 -0700
[Message part 1 (text/plain, inline)]
Source: sqlalchemy
Version: 1.2.18+ds1
Followup-For: Bug #922669

I've confirmed that 1.2.18+ds1 is affected despite the description at [1].
Upstream has a patch for the 1.2 series at [2].

A debdiff including the patch is attached.  It builds and the tests pass.
However, the fix requires removing previously supported behavior.  Consumers
that depend on this have been found [3], so I'm not sure if this should be
shipped in buster.

Ross

[1] https://github.com/sqlalchemy/sqlalchemy/issues/4481#issue-405370167
[2] https://gerrit.sqlalchemy.org/#/c/sqlalchemy/sqlalchemy/+/1184/
[3] https://github.com/sqlalchemy/sqlalchemy/issues/4538

[sqlalchemy-922669.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Mon, 06 May 2019 08:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Mon, 06 May 2019 08:24:03 GMT) (full text, mbox, link).

Message #21 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>
To: Ross Vandegrift <rvandegrift@debian.org>, 922669@bugs.debian.org
Subject: Re: Bug#922669: sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)
Date: Mon, 6 May 2019 10:20:25 +0200
On 5/6/19 5:09 AM, Ross Vandegrift wrote:
> Source: sqlalchemy
> Version: 1.2.18+ds1
> Followup-For: Bug #922669
> 
> I've confirmed that 1.2.18+ds1 is affected despite the description at [1].
> Upstream has a patch for the 1.2 series at [2].
> 
> A debdiff including the patch is attached.  It builds and the tests pass.
> However, the fix requires removing previously supported behavior.  Consumers
> that depend on this have been found [3], so I'm not sure if this should be
> shipped in buster.

Hi,

I'm sorry, but where exactly do you see a list of affected consumers?

Cheers,

Thomas Goirand (zigo)

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Mon, 06 May 2019 19:48:05 GMT) (full text, mbox, link).

Acknowledgement sent to Ross Vandegrift <rvandegrift@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Mon, 06 May 2019 19:48:05 GMT) (full text, mbox, link).

Message #26 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Ross Vandegrift <rvandegrift@debian.org>
To: Thomas Goirand <thomas@goirand.fr>
Cc: Ross Vandegrift <rvandegrift@debian.org>, 922669@bugs.debian.org
Subject: Re: Bug#922669: sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)
Date: Mon, 6 May 2019 12:04:53 -0700
On Mon, May 06, 2019 at 10:20:25AM +0200, Thomas Goirand wrote:
> On 5/6/19 5:09 AM, Ross Vandegrift wrote:
> > Source: sqlalchemy
> > Version: 1.2.18+ds1
> > Followup-For: Bug #922669
> > 
> > I've confirmed that 1.2.18+ds1 is affected despite the description at [1].
> > Upstream has a patch for the 1.2 series at [2].
> > 
> > A debdiff including the patch is attached.  It builds and the tests pass.
> > However, the fix requires removing previously supported behavior.  Consumers
> > that depend on this have been found [3], so I'm not sure if this should be
> > shipped in buster.
> 
> Hi,
> 
> I'm sorry, but where exactly do you see a list of affected consumers?

I didn't find a list, I just wanted to note that upstream observed at
least one example (the bug report I linked as #3) of a user that was
broken by the required API change.

I don't know how concerned Debian should be about possible breakage.  I
don't use sqlalchemy much anymore, and never used the affected APIs.

Ross

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Tue, 21 May 2019 14:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@infomaniak.com>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Tue, 21 May 2019 14:39:03 GMT) (full text, mbox, link).

Message #31 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@infomaniak.com>
To: 922669@bugs.debian.org
Subject: Debdiff to fix this
Date: Tue, 21 May 2019 16:32:15 +0200
[Message part 1 (text/plain, inline)]
Hi,

Here's, attached to this message, the debdiff to fix this CVE. Note that
the patch was backported to 1.2 by upstream himself, so it's kind of
safe to apply, however, it may potentially impact SQLAlchemy reverse
dependencies. It should be safe for OpenStack applications though.

Please, either allow me to upload as-is, or build and upload yourself
ASAP (preferably, in time for Buster).

Cheers,

Thomas Goirand (zigo)

[sqlalchemy_1.2.18+ds1-2.debdiff (text/plain, attachment)]

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Tue, 21 May 2019 16:09:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 21 May 2019 16:09:03 GMT) (full text, mbox, link).

Message #36 received at 922669-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 922669-close@bugs.debian.org
Subject: Bug#922669: fixed in sqlalchemy 1.2.18+ds1-2
Date: Tue, 21 May 2019 16:05:37 +0000
Source: sqlalchemy
Source-Version: 1.2.18+ds1-2

We believe that the bug you reported is fixed in the latest version of
sqlalchemy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated sqlalchemy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 May 2019 16:23:35 +0200
Source: sqlalchemy
Binary: python-sqlalchemy python-sqlalchemy-doc python-sqlalchemy-ext python-sqlalchemy-ext-dbgsym python3-sqlalchemy python3-sqlalchemy-ext python3-sqlalchemy-ext-dbgsym
Architecture: source all amd64
Version: 1.2.18+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 python-sqlalchemy - SQL toolkit and Object Relational Mapper for Python
 python-sqlalchemy-doc - documentation for the SQLAlchemy Python library
 python-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python - C extension
 python3-sqlalchemy - SQL toolkit and Object Relational Mapper for Python 3
 python3-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python3 - C extensio
Closes: 922669
Changes:
 sqlalchemy (1.2.18+ds1-2) unstable; urgency=high
 .
   * Team upload.
   * CVE-2019-7164 CVE-2019-7548: SQL injection. Apply upstream backported patch
     for this. Note: This potentially impacts applications (Closes: #922669).
Checksums-Sha1:
 9f943f43e6fef9dd28a654b40e3e5754783768f7 2557 sqlalchemy_1.2.18+ds1-2.dsc
 bc05d08eb42d70aab5f7569f50c8bb2d402bea09 16052 sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 1f661a8912b086f93f025c15d4e46384267af8ba 2319404 python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 e65eedf1efa2de8e7044682fc60be25c9d009e94 41520 python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 f7fc34b09a05355f7cfb539ba6febbd75e0cdf56 19248 python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 6311846bf03c45b2fc6645e60f146abb04240b7e 728956 python-sqlalchemy_1.2.18+ds1-2_all.deb
 b4d139d4617c0d756830283ba1bb61697cb1c155 51140 python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 69a6522274691c0c78dd3de18282f61f23d9a0e6 19348 python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 acf1759bc0f572b58656054256175804ccafbd4f 727452 python3-sqlalchemy_1.2.18+ds1-2_all.deb
 79e2736de5e9585574c8a532368065365641a52c 9769 sqlalchemy_1.2.18+ds1-2_amd64.buildinfo
Checksums-Sha256:
 1a6d35cab7b397a03f8b6b1ed3f384cf6c470db77eda53596ae0fa9470a70f1c 2557 sqlalchemy_1.2.18+ds1-2.dsc
 482b0a206e2f316db861e2051450966c97dc3023ad4ed633ca7afa9bb5f6a41b 16052 sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 e9ecf89fab033bfd79b511334e034c5e2816dcb73fc2a2ed96d68ae4a165cc96 2319404 python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 1536698197a0ad4505f6ee9ce1bc9aa8e45dfcea6128ff1371d862a58659cd1f 41520 python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 b2afb6ca84eb53eba99d9eae178c7c631c629b2b2a53e277bc8a03a7603ab4ec 19248 python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 abc0234cdd0fd6b1a6e87ca5a703f59ce65eb60d28938b049ec2bb1b1d2351b2 728956 python-sqlalchemy_1.2.18+ds1-2_all.deb
 258820968ad24434ab587ef81e0b91f9494301e2bb6a52a69e26c3edd261081e 51140 python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 7287ee2eb0d6da462423d432510febd5fb3662533def8963ac0d7d14de0b5ceb 19348 python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 73bbb0811cb9d64eb140fe9cce9e9ca08253711f0d3b304259b225b92af796a6 727452 python3-sqlalchemy_1.2.18+ds1-2_all.deb
 7c05a0a70b27be9f99b72fa1d993c7e8177b7206b9f55fb550921afa7594ebc8 9769 sqlalchemy_1.2.18+ds1-2_amd64.buildinfo
Files:
 7ac894f57be2e1dabfc06d822fad5760 2557 python optional sqlalchemy_1.2.18+ds1-2.dsc
 ba43da2a8afc562f52a39a17d9bfcdb3 16052 python optional sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 74d907d1b27a89fffe451640a1396450 2319404 doc optional python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 a91f53d5eceff20d215e1148f99c8d51 41520 debug optional python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 3f382d51113e73203e5ee9e21608e8da 19248 python optional python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 03f107c223d4c0c6d840341d0687f7f9 728956 python optional python-sqlalchemy_1.2.18+ds1-2_all.deb
 913fc3e4288ea97cedf20be8bb2e9770 51140 debug optional python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 131ccf6840fd714265c7ef1149fc8b37 19348 python optional python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 b5b976ac9c38016d48eb6fc6e7bc7d05 727452 python optional python3-sqlalchemy_1.2.18+ds1-2_all.deb
 17aaa2c469a2d4b3f23f02fa3774efb9 9769 python optional sqlalchemy_1.2.18+ds1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlzkCwYACgkQq1PlA1ho
d6a1Fw/+MlBwaQm+fSdkktest/oR1pzxB3s8ChbvMiiCZhNP8KJw7D7zo6g6Q5pS
lFcIR2vlAQv2wo1a7gofs+YLEUGbJuomC2RO0ifypRIVgUrENIju9OP/wmfJa/se
/z9QGigkwvPe8VjW4f9DrMbf7/0UYcsPomZS1+8dwGuqeO7CbxO9NsGtwQNw61iz
mck38KVkViVI9pY6cqNEArS4j0VBmxRYvS7Z2OINy+pf451jFMqI5wyWthXxvwfW
1h5tmY3KxP9so0nL7EwzZeRnFI7GUdTqEl9yY0Gf1d34+UiLYXGiRd4QRY3mHkdh
ZA1bHhHdqQ7xlbn9zRobUSA7fh4VvgbVpsoz3NcYslv5y0eMoJQcx9YkndziTupr
es0OHj58OK5BTEJNYnV4hzoCT5Px+Rm3Wu1wRHnc38chwCpjeLI/xsHecgyaDPYP
sT3VvjmTnA32P6kt2RpWuCtEvrwMD7gcI9oz3r3BZDBz2T/xUyJJAouVpMwixuvx
SjPZLhvIGXR1eNWmr3QhXxco4rpKU5U5glnlAQLeNgWg8H9cvRY2KSfJFFj+siSg
ks7buwzgpF/jlbcEhLVsgiNoXeikkpTOWyixmIl8iOySIgqsnICMsVc1R4vBrD/Z
JS/gaHn+PjPvonA+xgKv0ppECPGB7BJjEF7K890kqW0o5UFX7xo=
=iJB/
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Sat, 01 Jun 2019 11:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Hideki Yamane <henrich@iijmio-mail.jp>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Sat, 01 Jun 2019 11:45:03 GMT) (full text, mbox, link).

Message #41 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@iijmio-mail.jp>
To: Thomas Goirand <zigo@debian.org>
Cc: 922669@bugs.debian.org
Subject: Re: Bug#922669: fixed in sqlalchemy 1.2.18+ds1-2
Date: Sat, 1 Jun 2019 20:40:27 +0900
Hi,

 Do you file unblock for sqlalchemy? 
 Or also add debian/NEWS file to indicate potential incompatibility for
 applications?

-- 
Hideki Yamane <henrich@iijmio-mail.jp>

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#922669; Package src:sqlalchemy. (Fri, 07 Jun 2019 07:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Fri, 07 Jun 2019 07:39:05 GMT) (full text, mbox, link).

Message #46 received at 922669@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: Hideki Yamane <henrich@iijmio-mail.jp>, 922669@bugs.debian.org
Subject: Re: Bug#922669: fixed in sqlalchemy 1.2.18+ds1-2
Date: Fri, 7 Jun 2019 09:35:14 +0200
On 6/1/19 1:40 PM, Hideki Yamane wrote:
> Hi,
> 
>  Do you file unblock for sqlalchemy?

It's already migrated to Buster.

>  Or also add debian/NEWS file to indicate potential incompatibility for
>  applications?

No, I haven't. However, the risk is just an SQL query not working, and
apparently, only in rare edge cases where there's already an issue.

Cheers,

Thomas Goirand (zigo)

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:36:55 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started