Bug#930996: Bug#929321: Update for SQLAlchemy to address CVE-2019-7164 CVE-2019-7548

[Thomas Goirand]

On 6/27/19 8:39 PM, Paul Gevers wrote:
> Hi Thomas,
> 
> On 31-05-2019 01:34, Thomas Goirand wrote:
>> Dear package maintainer,
>>
>> We're about to upgrade SQLAlchemy in Buster to address an SQL injection
>> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.
>>
>> In some rare cases, this update may break reverse depenencies, leading
>> to non-working SQL queries.
>>
>> This is why I'm writing this email to you today: to ask you to please
>> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
>> potential unforecast issue before the Buster release.
>>
>> Details about the discussion can be seen here in the Debian bug #929321.
>>
>> Best regards,
> 
> Is this explaining the FTBFS of cloudkitty? We're looking at all the RC
> bugs to see what needs to happen and cloudkitty is about to be removed
> due this FTBFS. (I am not promising anything, but if the fix is clear,
> we may leave it in an let you fix it in the first point release).
> 
> Paul
> 

Hi Paul,

I applied upstream patch, released today:
https://review.opendev.org/#/c/668120/

Debdiff attached. I've opened an unblock bug too: #931220

Cheers,

Thomas Goirand (zigo)
diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog
--- cloudkitty-8.0.0/debian/changelog   2019-01-24 14:45:39.0 +0100
+++ cloudkitty-8.0.0/debian/changelog   2019-06-28 15:01:45.0 +0200
@@ -1,3 +1,11 @@
+cloudkitty (8.0.0-5) unstable; urgency=medium
+
+  * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix
+CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and
+929321 for more info) (Closes: #930996).
+
+ -- Thomas Goirand   Fri, 28 Jun 2019 15:01:45 +0200
+
 cloudkitty (8.0.0-4) unstable; urgency=medium
 
   * Correct default path to metrics.yml in [collect]/metrics_conf.
diff -Nru 
cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 
cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
--- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 
1970-01-01 01:00:00.0 +0100
+++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 
2019-06-28 15:01:45.0 +0200
@@ -0,0 +1,39 @@
+Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster)
+ This fixes "CompileError: Can't resolve label reference for
+ ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby
+ expression includes a comma.
+Author: Luka Peschke 
+Date: Tue, 4 Jun 2019 15:21:05 +0200
+Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a
+Bug-Debian: https://bugs.debian.org/930996
+Origin: upstream, https://review.opendev.org/668120
+Last-Update: 2019-06-28
+
+diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py 
b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+index 77403e3..7b56da6 100644
+--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py
 b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage):
+ self.frame_model.end <= end,
+ self.frame_model.res_type != '_NO_DATA_')
+ if groupby:
+-q = q.group_by(groupby)
++q = q.group_by(sqlalchemy.sql.text(groupby))
+ 
+ # Order by sum(rate)
+ q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate))
+diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml 
b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+new file mode 100644
+index 000..02c1e4d
+--- /dev/null
 b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.``
++errors that were sometimes raised by SQLAlchemy when using the v1 storage
++backend and grouping on ``tenant_id`` and ``res_type`` have been fixed.
+-- 
+2.7.4
+
diff -Nru cloudkitty-8.0.0/debian/patches/series 
cloudkitty-8.0.0/debian/patches/series
--- cloudkitty-8.0.0/debian/patches/series  2019-01-24 14:45:39.0 
+0100
+++ cloudkitty-8.0.0/debian/patches/series  2019-06-28 15:01:45.0 
+0200
@@ -1,3 +1,4 @@
 allow-any-sqla-version.patch
 missing-files.patch
 remove-mathjax-extention-from-sphinx-doc.patch
+Fix_sqlalchemy_grouping_on_v1_storage.patch

Bug#930996: Bug#929321: Update for SQLAlchemy to address CVE-2019-7164 CVE-2019-7548

[Thomas Goirand]

On 6/27/19 8:39 PM, Paul Gevers wrote:
> Hi Thomas,
> 
> On 31-05-2019 01:34, Thomas Goirand wrote:
>> Dear package maintainer,
>>
>> We're about to upgrade SQLAlchemy in Buster to address an SQL injection
>> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.
>>
>> In some rare cases, this update may break reverse depenencies, leading
>> to non-working SQL queries.
>>
>> This is why I'm writing this email to you today: to ask you to please
>> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
>> potential unforecast issue before the Buster release.
>>
>> Details about the discussion can be seen here in the Debian bug #929321.
>>
>> Best regards,
> 
> Is this explaining the FTBFS of cloudkitty? We're looking at all the RC
> bugs to see what needs to happen and cloudkitty is about to be removed
> due this FTBFS. (I am not promising anything, but if the fix is clear,
> we may leave it in an let you fix it in the first point release).
> 
> Paul

Hi Paul,

Yes, I can try to fix it in the next point release. I very much would
prefer if cloudkitty could stay in Buster.

Cheers,

Thomas Goirand (zigo)

Bug#930996: Bug#929321: Update for SQLAlchemy to address CVE-2019-7164 CVE-2019-7548

[Paul Gevers]

Hi Thomas,

On 31-05-2019 01:34, Thomas Goirand wrote:
> Dear package maintainer,
> 
> We're about to upgrade SQLAlchemy in Buster to address an SQL injection
> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.
> 
> In some rare cases, this update may break reverse depenencies, leading
> to non-working SQL queries.
> 
> This is why I'm writing this email to you today: to ask you to please
> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
> potential unforecast issue before the Buster release.
> 
> Details about the discussion can be seen here in the Debian bug #929321.
> 
> Best regards,

Is this explaining the FTBFS of cloudkitty? We're looking at all the RC
bugs to see what needs to happen and cloudkitty is about to be removed
due this FTBFS. (I am not promising anything, but if the fix is clear,
we may leave it in an let you fix it in the first point release).

Paul



signature.asc
Description: OpenPGP digital signature

Bug#929321: Update for SQLAlchemy to address CVE-2019-7164 CVE-2019-7548

[Paul Gevers]

Control: tags -1 - moreinfo

Hi Thomas,

On 31-05-2019 01:34, Thomas Goirand wrote:
> Dear package maintainer,
> 
> We're about to upgrade SQLAlchemy in Buster to address an SQL injection
> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.
> 
> In some rare cases, this update may break reverse depenencies, leading
> to non-working SQL queries.
> 
> This is why I'm writing this email to you today: to ask you to please
> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
> potential unforecast issue before the Buster release.
> 
> Details about the discussion can be seen here in the Debian bug #929321.
> 
> Best regards,
> 
> Thomas Goirand (zigo)

Thanks for sending this. I'll give this a day or two and then I intend
unblock SQLAlchemy.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#929321: Update for SQLAlchemy to address CVE-2019-7164 CVE-2019-7548

[Thomas Goirand]

Dear package maintainer,

We're about to upgrade SQLAlchemy in Buster to address an SQL injection
issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.

In some rare cases, this update may break reverse depenencies, leading
to non-working SQL queries.

This is why I'm writing this email to you today: to ask you to please
test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
potential unforecast issue before the Buster release.

Details about the discussion can be seen here in the Debian bug #929321.

Best regards,

Thomas Goirand (zigo)