Version in base suite: 1.8.0.10+dfsg-10

Base version: hsqldb1.8.0_1.8.0.10+dfsg-10
Target version: hsqldb1.8.0_1.8.0.10+dfsg-10+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/hsqldb1.8.0/hsqldb1.8.0_1.8.0.10+dfsg-10.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/h/hsqldb1.8.0/hsqldb1.8.0_1.8.0.10+dfsg-10+deb11u1.dsc

 debian/patches/avoid-execution-of-spurious-command-in-script-or-log-file.diff |   23 ++++++++++
 hsqldb1.8.0-1.8.0.10+dfsg/debian/changelog                                    |    8 +++
 2 files changed, 31 insertions(+)

diff -u hsqldb1.8.0-1.8.0.10+dfsg/debian/changelog hsqldb1.8.0-1.8.0.10+dfsg/debian/changelog
--- hsqldb1.8.0-1.8.0.10+dfsg/debian/changelog
+++ hsqldb1.8.0-1.8.0.10+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+hsqldb1.8.0 (1.8.0.10+dfsg-10+deb11u1) bullseye-security; urgency=medium
+
+  * add patch from upstream to
+    avoid execution of spurious command in script or log file
+    (CVE-2023-1183)
+
+ -- Rene Engelhard <rene@debian.org>  Thu, 15 Jun 2023 21:05:11 +0200
+
 hsqldb1.8.0 (1.8.0.10+dfsg-10) unstable; urgency=medium
 
   * add patch from LO to fix build with Java 11 (closes: #913051)
only in patch2:
unchanged:
--- hsqldb1.8.0-1.8.0.10+dfsg.orig/debian/patches/avoid-execution-of-spurious-command-in-script-or-log-file.diff
+++ hsqldb1.8.0-1.8.0.10+dfsg/debian/patches/avoid-execution-of-spurious-command-in-script-or-log-file.diff
@@ -0,0 +1,23 @@
+--- hsqldb1.8.0-1.8.0.10+dfsg.orig/src/org/hsqldb/DatabaseCommandInterpreter.java
++++ hsqldb1.8.0-1.8.0.10+dfsg/src/org/hsqldb/DatabaseCommandInterpreter.java
+@@ -394,15 +394,18 @@
+ 
+         String           token = tokenizer.getString();
+         ScriptWriterText dsw   = null;
+-
+         session.checkAdmin();
+-
+         try {
+             if (tokenizer.wasValue()) {
+                 if (tokenizer.getType() != Types.VARCHAR) {
+                     throw Trace.error(Trace.INVALID_IDENTIFIER);
+                 }
+ 
++                // added condition to avoid execution of spurious command in .script or .log file
++                if (session.isProcessingScript() || session.isProcessingLog()) {
++                    return new Result(ResultConstants.UPDATECOUNT);
++                }
++
+                 dsw = new ScriptWriterText(database, token, true, true, true);
+ 
+                 dsw.writeAll();