Bug#931608: marked as done (buster-pu: package cloudkitty/8.0.0-4)

To: Thomas Goirand <zigo@debian.org>
Subject: Bug#931608: marked as done (buster-pu: package cloudkitty/8.0.0-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 08 Jul 2019 09:06:03 +0000
Message-id: <[🔎] handler.931608.D931608.156257661320337.ackdone@bugs.debian.org>
Reply-to: 931608@bugs.debian.org
References: <469a7d36-1f63-9044-f329-f064851d38bf@debian.org> <[🔎] 156257464033.19931.1816335840507995123.reportbug@buzig2.debian.org>

Your message dated Mon, 8 Jul 2019 11:03:28 +0200
with message-id <469a7d36-1f63-9044-f329-f064851d38bf@debian.org>
and subject line Closing
has caused the Debian Bug report #931608,
regarding buster-pu: package cloudkitty/8.0.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931608: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931608
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package cloudkitty/8.0.0-4
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 08 Jul 2019 10:30:40 +0200
Message-id: <[🔎] 156257464033.19931.1816335840507995123.reportbug@buzig2.debian.org>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

The attached debdiff fixes the FTBS. Details are in the relevant bugs
(as per the debian/changelog). Please allow me to upload the fix to
Buster.

Cheers,

Thomas Goirand (zigo)

diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog
--- cloudkitty-8.0.0/debian/changelog	2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/changelog	2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,11 @@
+cloudkitty (8.0.0-4+deb10u1) buster; urgency=medium
+
+  * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix
+    CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and
+    929321 for more info) (Closes: #930996).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 28 Jun 2019 15:01:45 +0200
+
 cloudkitty (8.0.0-4) unstable; urgency=medium
 
   * Correct default path to metrics.yml in [collect]/metrics_conf.
diff -Nru cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
--- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch	1970-01-01 01:00:00.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch	2019-06-28 15:01:45.000000000 +0200
@@ -0,0 +1,39 @@
+Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster)
+ This fixes "CompileError: Can't resolve label reference for
+ ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby
+ expression includes a comma.
+Author: Luka Peschke <luka.peschke@objectif-libre.com>
+Date: Tue, 4 Jun 2019 15:21:05 +0200
+Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a
+Bug-Debian: https://bugs.debian.org/930996
+Origin: upstream, https://review.opendev.org/668120
+Last-Update: 2019-06-28
+
+diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+index 77403e3..7b56da6 100644
+--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py
++++ b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage):
+             self.frame_model.end <= end,
+             self.frame_model.res_type != '_NO_DATA_')
+         if groupby:
+-            q = q.group_by(groupby)
++            q = q.group_by(sqlalchemy.sql.text(groupby))
+ 
+         # Order by sum(rate)
+         q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate))
+diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+new file mode 100644
+index 0000000..02c1e4d
+--- /dev/null
++++ b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++    ``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.``
++    errors that were sometimes raised by SQLAlchemy when using the v1 storage
++    backend and grouping on ``tenant_id`` and ``res_type`` have been fixed.
+-- 
+2.7.4
+
diff -Nru cloudkitty-8.0.0/debian/patches/series cloudkitty-8.0.0/debian/patches/series
--- cloudkitty-8.0.0/debian/patches/series	2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/series	2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,4 @@
 allow-any-sqla-version.patch
 missing-files.patch
 remove-mathjax-extention-from-sphinx-doc.patch
+Fix_sqlalchemy_grouping_on_v1_storage.patch

--- End Message ---

--- Begin Message ---

To: 931608-done@bugs.debian.org

Subject: Closing

From: Thomas Goirand <zigo@debian.org>

Date: Mon, 8 Jul 2019 11:03:28 +0200

Message-id: <469a7d36-1f63-9044-f329-f064851d38bf@debian.org>
I've re-opened a new bug using: https://bugs.debian.org/931606
for buster-p-u.

Cheers,

Thomas Goirand (zigo)
--- End Message ---

Reply to:

References:
- Bug#931608: buster-pu: package cloudkitty/8.0.0-4
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Next by Date: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Previous by thread: Bug#931608: buster-pu: package cloudkitty/8.0.0-4
Next by thread: Processed: Re: Bug#931608: buster-pu: package cloudkitty/8.0.0-4
Index(es):
- Date
- Thread