Bug#1071628: python-pymysql: CVE-2024-36039

Tue, 28 May 2024 00:09:14 -0700 

On 5/22/24 17:08, Moritz Mühlenhoff wrote:

The following vulnerability was published for python-pymysql.

We should also fix this in a DSA, could you prepare debdiffs for
bookworm-security and bullseye-security?

CVE-2024-36039[0]:
| PyMySQL through 1.1.0 allows SQL injection if used with untrusted
| JSON input because keys are not escaped by escape_dict.

https://github.com/advisories/GHSA-v9hf-5j83-6xpp
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
 (v1.1.1)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-36039
     https://www.cve.org/CVERecord?id=CVE-2024-36039

Please adjust the affected versions in the BTS as needed.


Hi,
Please find attached to this message, the fixes I would like to upload to bullseye and bookworm. Please allow these uploads.
Note that I have uploaded latest upstream version 1.1.1-1 to unstable, that includes the patch in these debdiffs. 

Cheers,

Thomas Goirand (zigo)

diff -Nru python-pymysql-0.9.3/debian/changelog 
python-pymysql-0.9.3/debian/changelog
--- python-pymysql-0.9.3/debian/changelog       2019-09-05 08:07:35.000000000 
+0200
+++ python-pymysql-0.9.3/debian/changelog       2024-05-28 08:56:57.000000000 
+0200
@@ -1,3 +1,11 @@
+python-pymysql (0.9.3-2+deb11u1) bullseye-security; urgency=medium
+
+  * CVE-2024-36039: PyMySQL through 1.1.0 allows SQL injection if used with
+    untrusted JSON input because keys are not escaped by escape_dict. Applied
+    upstream patch: forbid_dict_parameter.patch (Closes: #1071628).
+
+ -- Thomas Goirand <z...@debian.org>  Tue, 28 May 2024 08:56:57 +0200
+
 python-pymysql (0.9.3-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
python-pymysql-0.9.3/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch 
python-pymysql-0.9.3/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch
--- 
python-pymysql-0.9.3/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch  
    1970-01-01 01:00:00.000000000 +0100
+++ 
python-pymysql-0.9.3/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch  
    2024-05-28 08:56:57.000000000 +0200
@@ -0,0 +1,47 @@
+Description: CVE-2024-36039: forbid dict parameter
+Author: Inada Naoki <songofaca...@gmail.com>
+Date: Sat, 18 May 2024 11:33:30 +0900
+Origin: 
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c.patch
+Bug-Debian: https://bugs.debian.org/1071628
+Last-Update: 2024-05-28
+
+Index: python-pymysql/pymysql/converters.py
+===================================================================
+--- python-pymysql.orig/pymysql/converters.py
++++ python-pymysql/pymysql/converters.py
+@@ -28,11 +28,7 @@ def escape_item(val, charset, mapping=No
+     return val
+ 
+ def escape_dict(val, charset, mapping=None):
+-    n = {}
+-    for k, v in val.items():
+-        quoted = escape_item(v, charset, mapping)
+-        n[k] = quoted
+-    return n
++    raise TypeError("dict can not be used as parameter")
+ 
+ def escape_sequence(val, charset, mapping=None):
+     n = []
+Index: python-pymysql/pymysql/tests/test_connection.py
+===================================================================
+--- python-pymysql.orig/pymysql/tests/test_connection.py
++++ python-pymysql/pymysql/tests/test_connection.py
+@@ -553,13 +553,16 @@ class TestEscape(base.PyMySQLTestCase):
+ 
+         self.assertRaises(TypeError, con.escape, 42, {})
+ 
+-    def test_escape_dict_value(self):
++    def test_escape_dict_raise_typeerror(self):
++        """con.escape(dict) should raise TypeError"""
+         con = self.connect()
+         cur = con.cursor()
+ 
+         mapping = con.encoders.copy()
+         mapping[Foo] = escape_foo
+-        self.assertEqual(con.escape({'foo': Foo()}, mapping), {'foo': "bar"})
++        #self.assertEqual(con.escape({'foo': Foo()}, mapping), {'foo': "bar"})
++        with self.assertRaises(TypeError):
++            con.escape({"foo": Foo()})
+ 
+     def test_escape_list_item(self):
+         con = self.connect()
diff -Nru python-pymysql-0.9.3/debian/patches/series 
python-pymysql-0.9.3/debian/patches/series
--- python-pymysql-0.9.3/debian/patches/series  2019-09-05 08:07:35.000000000 
+0200
+++ python-pymysql-0.9.3/debian/patches/series  2024-05-28 08:56:57.000000000 
+0200
@@ -1,2 +1,3 @@
 0001-Disabling-not-working-unit-tests.patch
 0002-remove_intersphinx.patch
+CVE-2024-36039_forbid_dict_parameter.patch

diff -Nru python-pymysql-1.0.2/debian/changelog 
python-pymysql-1.0.2/debian/changelog
--- python-pymysql-1.0.2/debian/changelog       2021-08-16 19:11:00.000000000 
+0200
+++ python-pymysql-1.0.2/debian/changelog       2024-05-28 08:15:32.000000000 
+0200
@@ -1,3 +1,11 @@
+python-pymysql (1.0.2-2+deb12u1) bookworm-security; urgency=medium
+
+  * CVE-2024-36039: PyMySQL through 1.1.0 allows SQL injection if used with
+    untrusted JSON input because keys are not escaped by escape_dict. Applied
+    upstream patch: forbid_dict_parameter.patch (Closes: #1071628).
+
+ -- Thomas Goirand <z...@debian.org>  Tue, 28 May 2024 08:15:32 +0200
+
 python-pymysql (1.0.2-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru 
python-pymysql-1.0.2/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch 
python-pymysql-1.0.2/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch
--- 
python-pymysql-1.0.2/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch  
    1970-01-01 01:00:00.000000000 +0100
+++ 
python-pymysql-1.0.2/debian/patches/CVE-2024-36039_forbid_dict_parameter.patch  
    2024-05-28 08:15:32.000000000 +0200
@@ -0,0 +1,47 @@
+Description: CVE-2024-36039: forbid dict parameter
+Author: Inada Naoki <songofaca...@gmail.com>
+Date: Sat, 18 May 2024 11:33:30 +0900
+Origin: 
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c.patch
+Bug-Debian: https://bugs.debian.org/1071628
+Last-Update: 2024-05-28
+
+diff --git a/pymysql/converters.py b/pymysql/converters.py
+index 1adac752..dbf97ca7 100644
+--- a/pymysql/converters.py
++++ b/pymysql/converters.py
+@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
+ 
+ 
+ def escape_dict(val, charset, mapping=None):
+-    n = {}
+-    for k, v in val.items():
+-        quoted = escape_item(v, charset, mapping)
+-        n[k] = quoted
+-    return n
++    raise TypeError("dict can not be used as parameter")
+ 
+ 
+ def escape_sequence(val, charset, mapping=None):
+diff --git a/pymysql/tests/test_connection.py 
b/pymysql/tests/test_connection.py
+index ccfc4a32..dcf3394c 100644
+--- a/pymysql/tests/test_connection.py
++++ b/pymysql/tests/test_connection.py
+@@ -754,13 +754,16 @@
+ 
+         self.assertRaises(TypeError, con.escape, 42, {})
+ 
+-    def test_escape_dict_value(self):
++    def test_escape_dict_raise_typeerror(self):
++        """con.escape(dict) should raise TypeError"""
+         con = self.connect()
+         cur = con.cursor()
+ 
+         mapping = con.encoders.copy()
+         mapping[Foo] = escape_foo
+-        self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
++        #self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
++        with self.assertRaises(TypeError):
++            con.escape({"foo": Foo()})
+ 
+     def test_escape_list_item(self):
+         con = self.connect()
diff -Nru python-pymysql-1.0.2/debian/patches/series 
python-pymysql-1.0.2/debian/patches/series
--- python-pymysql-1.0.2/debian/patches/series  2021-08-16 19:11:00.000000000 
+0200
+++ python-pymysql-1.0.2/debian/patches/series  2024-05-28 08:15:32.000000000 
+0200
@@ -1,3 +1,4 @@
 #0001-Disabling-not-working-unit-tests.patch
 0002-remove_intersphinx.patch
 removed-broken-tests.patch
+CVE-2024-36039_forbid_dict_parameter.patch

Reply via email to