2005072 – (CVE-2021-32839) CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments filter

Bug 2005072 (CVE-2021-32839) - CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments filter

Summary: CVE-2021-32839 python-sqlparse: ReDoS via regular expression in StripComments...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-32839
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2005178 2012131 2012132 2015634 2005074 2005951 2006250
Blocks:	2005075
TreeView+	depends on / blocked

Reported:	2021-09-16 17:07 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-07-05 14:26 UTC (History)
CC List:	46 users (show)
Fixed In Version:	sqlparse 0.4.2
Doc Type:	If docs needed, set a value
Doc Text:	A resource-consumption flaw was found in python-sqlparse. The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause the system to hang.
Clone Of:
Environment:
Last Closed:	2021-11-01 01:52:20 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:26:53 UTC

Description Guilherme de Almeida Suckevicz 2021-09-16 17:07:54 UTC

The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.

Reference:
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf

Comment 1 Guilherme de Almeida Suckevicz 2021-09-16 17:08:17 UTC

Created python-sqlparse tracking bugs for this issue:

Affects: fedora-all [bug 2005074]

Comment 2 Summer Long 2021-09-17 02:38:33 UTC

Upstream commit: https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb

Comment 3 Summer Long 2021-09-17 02:53:33 UTC

Created python-sqlparse tracking bugs for this issue:

Affects: openstack-rdo [bug 2005178]

Comment 10 errata-xmlrpc 2022-07-05 14:26:50 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.

apevec
bbuckingham
bcoca
bcourt
bkearney
btotty
caswilli
chousekn
cmeyers
davidn
dbecker
dmalcolm
ehelms
gblomqui
hhorak
jcammara
jhardy
jjoyce
jobarker
jschluet
jsherril
jwong
kaycoth
lhh
lpeer
lzap
mabashia
mburns
me
mhulan
mmccune
myarboro
nmoumoul
notting
orabin
osapryki
pcreech
rchan
relrod
rhos-maint
rpetrell
sclewis
sdoran
slinaber
smcdonal
tkuratom