Version in base suite: 0.62-4

Base version: webpy_0.62-4
Target version: webpy_0.62-4+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/w/webpy/webpy_0.62-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/w/webpy/webpy_0.62-4+deb12u1.dsc

 changelog                                    |    7 ++++
 patches/0001-Address-CVE-2025-3818-807.patch |   43 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 51 insertions(+)

gpgv: Signature made Sat Feb 25 22:24:01 2023 UTC
gpgv:                using RSA key 7ED1DEA345D9A0A118D4A740E3E0A1C286B963EA
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpll9qkith/webpy_0.62-4.dsc
diff -Nru webpy-0.62/debian/changelog webpy-0.62/debian/changelog
--- webpy-0.62/debian/changelog	2023-02-25 22:14:11.000000000 +0000
+++ webpy-0.62/debian/changelog	2025-05-28 17:54:20.000000000 +0000
@@ -1,3 +1,10 @@
+webpy (1:0.62-4+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-3818: PostgreSQL SQL Injection (Closes: #1103780)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 28 May 2025 20:54:20 +0300
+
 webpy (1:0.62-4) unstable; urgency=medium
 
   * Fix debian/watch
diff -Nru webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch
--- webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	1970-01-01 00:00:00.000000000 +0000
+++ webpy-0.62/debian/patches/0001-Address-CVE-2025-3818-807.patch	2025-05-28 17:39:22.000000000 +0000
@@ -0,0 +1,43 @@
+From fc5451478a5ae648a29738012094aeeb77e6c5b8 Mon Sep 17 00:00:00 2001
+From: Mek <michael.karpeles@gmail.com>
+Date: Wed, 7 May 2025 15:14:44 -0400
+Subject: Address CVE-2025-3818 (#807)
+
+* Address CVE-2025-3818
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+
+---------
+
+Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
+---
+ web/db.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/web/db.py b/web/db.py
+index 4559994..7e12d7f 100644
+--- a/web/db.py
++++ b/web/db.py
+@@ -1217,10 +1217,18 @@ class PostgresDB(DB):
+                 seqname = None
+ 
+         if seqname:
+-            query += "; SELECT currval('%s')" % seqname
++            query += self.get_sequence_query(seqname)
+ 
+         return query
+ 
++    def get_sequence_query(self, seqname):
++        import re
++        # Ensure the sequence name is valid
++        if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
++            raise ValueError(f"Invalid sequence name: {seqname}")
++        return SQLQuery("; SELECT currval(%s)", seqname)
++
++
+     def _get_all_sequences(self):
+         """Query postgres to find names of all sequences used in this database."""
+         if self._sequences is None:
+-- 
+2.30.2
+
diff -Nru webpy-0.62/debian/patches/series webpy-0.62/debian/patches/series
--- webpy-0.62/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ webpy-0.62/debian/patches/series	2025-05-28 17:54:20.000000000 +0000
@@ -0,0 +1 @@
+0001-Address-CVE-2025-3818-807.patch