SQLite "Magellan" vulnerability

DoneSubmitted by Marius Bakke.
Details
5 participants
  • Alex Vong
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
  • Ricardo Wurmus
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 15 Dec 2018 01:18
(address . bug-guix@gnu.org)
87r2ejve09.fsf@fastmail.com
Hello!
There is allegedly a remote code execution bug in all versions of SQLiteprior to 3.26.0: https://blade.tencent.com/magellan/index_en.html.
I think it is safe to graft 3.26.0 in-place:
$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
1 Added function symbol not referenced by debug info:
sqlite3_create_window_function
...but I have not tested this. It's difficult to tell which patches toapply without knowing more details of the vulnerability.
I am currently building a branch that adds a "static" output forSQLite in order to catch users of libsqlite3.a. Can we start this onBerlin concurrently? Patches attached.
From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001From: Marius Bakke <mbakke@fastmail.com>Date: Sat, 15 Dec 2018 00:31:16 +0100Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.
* gnu/packages/databases.scm (sqlite): Update to 3.26.0.--- gnu/packages/databases.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Toggle diff (24 lines)diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scmindex 0fa6d451ed..a3848dee8e 100644--- a/gnu/packages/databases.scm+++ b/gnu/packages/databases.scm@@ -1183,7 +1183,7 @@ changes.") (define-public sqlite (package (name "sqlite")- (version "3.24.0")+ (version "3.26.0") (source (origin (method url-fetch) (uri (let ((numeric-version@@ -1199,7 +1199,7 @@ changes.") numeric-version ".tar.gz"))) (sha256 (base32- "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))+ "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx")))) (build-system gnu-build-system) (inputs `(("readline" ,readline))) (arguments-- 2.20.0
From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001From: Marius Bakke <mbakke@fastmail.com>Date: Sat, 15 Dec 2018 00:31:37 +0100Subject: [PATCH 2/2] gnu: SQLite: Add static output.
* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.[outputs]: New field.--- gnu/packages/databases.scm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)
Toggle diff (30 lines)diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scmindex a3848dee8e..148b77882f 100644--- a/gnu/packages/databases.scm+++ b/gnu/packages/databases.scm@@ -1209,7 +1209,22 @@ changes.") ;; to use the system SQLite unless these options are enabled. (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE " "-DSQLITE_ENABLE_UNLOCK_NOTIFY "- "-DSQLITE_ENABLE_DBSTAT_VTAB"))))+ "-DSQLITE_ENABLE_DBSTAT_VTAB"))+ #:phases (modify-phases %standard-phases+ (add-after 'install 'move-static-library+ (lambda* (#:key outputs #:allow-other-keys)+ (let ((out (assoc-ref outputs "out"))+ (static (assoc-ref outputs "static")))+ (mkdir-p (string-append static "/lib"))+ (rename-file (string-append out "/lib/libsqlite3.a")+ (string-append static "/lib/libsqlite3.a"))+ ;; Remove reference to the static library from the .la file+ ;; so Libtool does the right thing when both the shared and+ ;; static library is available.+ (substitute* (string-append out "/lib/libsqlite3.la")+ (("^old_library='libsqlite3.a'") "old_library=''"))+ #t))))))+ (outputs '("out" "static")) (home-page "https://www.sqlite.org/") (synopsis "The SQLite database management system") (description-- 2.20.0
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUSFYACgkQoqBt8qM6VPo+Pwf/ThaiyhJbpIPadBW8yM3JQm1e1JiLlcZkjrly1oDPX4hn6Je1AGnlu41QTvjrwmv2QrN6T6HgP1n1e6AOvJs9FoskelfB1xfXkeaIdPj28toQPU4zwr/KbS8jNxT4P0FJX+a5demGhu9rPvhO1Lz48oA186LQEXieWCFTgiXk5JS3CssqUUbUaJi1BEiLfTYozP/ugJCMIud+lx6AkyfXgH/mqLi3Y0yfoctPgcqg7lYeHesdneqfgCsdqjj3hwYGdbz/q2uhZTcfqdJ+P0StIuGIZTtrCvl8D2+ESD1ph8mBRxsOaTyNnj+0OwDRlJjkHrAIqY9Vg/KdU04VRIF50g===kx1u-----END PGP SIGNATURE-----
M
M
Marius Bakke wrote on 15 Dec 2018 02:51
(address . 33751@debbugs.gnu.org)
87o99nv9pa.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:
Toggle quote (24 lines)> Hello!>> There is allegedly a remote code execution bug in all versions of SQLite> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.>> I think it is safe to graft 3.26.0 in-place:>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so> Functions changes summary: 0 Removed, 0 Changed, 0 Added function > Variables changes summary: 0 Removed, 0 Changed, 0 Added variable > Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info > Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info >> 1 Added function symbol not referenced by debug info: >> sqlite3_create_window_function>> ...but I have not tested this. It's difficult to tell which patches to> apply without knowing more details of the vulnerability.>> I am currently building a branch that adds a "static" output for> SQLite in order to catch users of libsqlite3.a. Can we start this on> Berlin concurrently? Patches attached.
Perhaps it's better to start over 'staging' with the new SQLite in themean time? Hydra didn't get too far yet.
It does not add a lot to the current rebuild count.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUXiIACgkQoqBt8qM6VPqxoAf/TQpANxhNmV8Jzt6LqfODQ4TUt0WcI3GOFPQ9rTcSVMtyQZABzPKtc2d09E2S+4libYfWTeQk3cgiWb+OZiveVoFPQHG7LZxfhyY3yHxHU2LDha2AOluFWk7Quibst4jPfBkQFLYh47EZuTvXCa6rv1oZ41RGH4NklyXTRJiHauLfS7s+OkGenxmQCdETtTjqUbclzSzKpT8Q71MMn6584opMXUv8tf9uOfr2o2EPT8PbWBLviiDbdkRI4rzDBVijaPh3T+9OBoraNycj7A4HdINOG0aQ2dVhYUREJGzSw2S7Uk+YJ+gw4UA/q7mHzKv2DDjUnEExUVwFGWA8zLQhDg===Pmy5-----END PGP SIGNATURE-----
R
R
Ricardo Wurmus wrote on 15 Dec 2018 11:47
Re: bug#33751: SQLite "Magellan" vulnerability
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 33751@debbugs.gnu.org)
87woobvzh0.fsf@elephly.net
Marius Bakke <mbakke@fastmail.com> writes:
Toggle quote (31 lines)> Marius Bakke <mbakke@fastmail.com> writes:>>> Hello!>>>> There is allegedly a remote code execution bug in all versions of SQLite>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.>>>> I think it is safe to graft 3.26.0 in-place:>>>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so>> Functions changes summary: 0 Removed, 0 Changed, 0 Added function >> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable >> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info >> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info >>>> 1 Added function symbol not referenced by debug info: >>>> sqlite3_create_window_function>>>> ...but I have not tested this. It's difficult to tell which patches to>> apply without knowing more details of the vulnerability.>>>> I am currently building a branch that adds a "static" output for>> SQLite in order to catch users of libsqlite3.a. Can we start this on>> Berlin concurrently? Patches attached.>> Perhaps it's better to start over 'staging' with the new SQLite in the> mean time? Hydra didn't get too far yet.>> It does not add a lot to the current rebuild count.
Sounds good to me. Thank you!
-- Ricardo
M
M
Mark H Weaver wrote on 17 Dec 2018 20:04
Re: [SECURITY] Which packages bundle sqlite?
(name . Alex Vong)(address . alexvong1995@gmail.com)
87y38ovut0.fsf@netris.org
Hi Alex,
This issue is being tracked at https://bugs.gnu.org/33751,so it would be best to send followups regarding this issue to<33751@debbugs.gnu.org>.
Alex Vong <alexvong1995@gmail.com> writes:
Toggle quote (3 lines)> I also want to know should we graft in this case since updating sqlite> would cause ~4000s rebuilts.
Yes, it should be grafted.
Toggle quote (4 lines)> Besides, how to deal with packages that> inherit sqlite when grafting?> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)
These should be changed to use the 'package/inherit' macro.
Thanks for working on it!
Mark
L
L
Ludovic Courtès wrote on 17 Dec 2018 23:04
control message for bug #33751
(address . control@debbugs.gnu.org)
87d0pz24jx.fsf@gnu.org
tags 33751 security
A
A
Alex Vong wrote on 18 Dec 2018 04:07
Re: [SECURITY] Which packages bundle sqlite?
(name . Mark H Weaver)(address . mhw@netris.org)
87bm5j1qj7.fsf@gmail.com
Hi Mark,
Mark H Weaver <mhw@netris.org> writes:
Toggle quote (6 lines)> Hi Alex,>> This issue is being tracked at <https://bugs.gnu.org/33751>,> so it would be best to send followups regarding this issue to> <33751@debbugs.gnu.org>.>
Thanks for pointing me to the right place. I checked guix-patches butnot guix...
Toggle quote (13 lines)> Alex Vong <alexvong1995@gmail.com> writes:>>> I also want to know should we graft in this case since updating sqlite>> would cause ~4000s rebuilts.>> Yes, it should be grafted.>>> Besides, how to deal with packages that>> inherit sqlite when grafting?>> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)>> These should be changed to use the 'package/inherit' macro.>
Toggle quote (4 lines)> Thanks for working on it!>> Mark
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhkbAAKCRBh71Au9gJS8jONAQD2AsJ6Fuj6thOnyo45WWhvmkBx/eUVguqWoc7a3XzrEQD+IwpRkEHPN6a8cUVxfAJA9sGbch7+YFWHOnjmfpQtpA4==83Iz-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 25 Dec 2018 19:11
[GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)
(address . 33751-done@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87pntppjcf.fsf@gmail.com
Closing as patch was appied
Delivered-To: alexvong1995@gmail.comReceived: by 2002:a9d:728e:0:0:0:0:0 with SMTP id t14csp3685673otj; Mon, 24 Dec 2018 01:36:02 -0800 (PST)X-Google-Smtp-Source: ALg8bN6PZHIldUCFSxxI4cjAHldiohUJ+qPRf40Mo52Z5PPJXd0h8h6Qd1pcFi8KFBM3TE+HWANrX-Received: by 2002:aed:2aa3:: with SMTP id t32mr11397153qtd.25.1545644162881; Mon, 24 Dec 2018 01:36:02 -0800 (PST)ARC-Seal: i=1; a=rsa-sha256; t=1545644162; cv=none; d=google.com; s=arc-20160816; b=W71pjKKxoiI9ynn6EHwrdPhoBXGdNGTAToQmMFAtz3bhE51v8JHIyVpLOpSt3ZYTCv u0EO8TAdVt1yFLBI57ou8etGQnt36xWQ2Qif5W8bKV3ZbwCCuKbkf98AtVUwwrA5XjLk GQ4gZtORzYMZq+GNcLLaNO1CvkDsauh6QZJUHkszElLv5b6H0y2V8RDjuSmXtzZ/stxB 9sY76xX1EVYSRK/3Z5B62fY6d+vaL82jAlr/SkoCdarpOv4AGTqCj3AWyLXpUVQohdvc x4ztzBFgzQRmanFeDd2kardNjtVzogY7VAf/oqiOZx9Jj+APVUi/GFQqtw/hcYkLoJIU 0xdQ==ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:reply-to:references:message-id:subject:to:from:mime-version; bh=ghYh7eRWO+dd1jVmAMrnTtXosoMYKv3lZ48RDubXslw=; b=XP5twhqxGHzuFeepQBWBVl+S4V2sJ0lv2cyUUSk7s9SrMWr99GhyZLKlfL7rvpOsT7 y6+c0HFuKh+1mWsyUBWT7LsG+CW1f1hE2GkCft3XWGoCdb2qb8OjZvTSK29b5mMeDFwc 0Z44PJDMIC+T9EhQoGYyktQTNiCnYvh7BgptLPPJFMPwFqxaD3nGY2V74vKAjaYInCr3 x5f7yv1exdPVLEVYngVw1IwpDdZ9YtSP/yAxYgy9mRfXLXHjlucdX0/6jbQ5w2DZ32S3 h4O4jWN6d+ObqUaL9HD5WrDGhr8vuD9HkoRtk6Kfl6vYMoBRE9/zH+aVjeM3OKu5DxsU k+DA==ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of debian-debbugs@debbugs.gnu.org designates 208.118.235.43 as permitted sender) smtp.mailfrom=Debian-debbugs@debbugs.gnu.orgReturn-Path: <Debian-debbugs@debbugs.gnu.org>Received: from debbugs.gnu.org (debbugs.gnu.org. [208.118.235.43]) by mx.google.com with ESMTPS id c19si193018qkh.43.2018.12.24.01.36.02 for <alexvong1995@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Dec 2018 01:36:02 -0800 (PST)Received-SPF: pass (google.com: best guess record for domain of debian-debbugs@debbugs.gnu.org designates 208.118.235.43 as permitted sender) client-ip=208.118.235.43;Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of debian-debbugs@debbugs.gnu.org designates 208.118.235.43 as permitted sender) smtp.mailfrom=Debian-debbugs@debbugs.gnu.orgReceived: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gbMeY-0001rx-Dh for alexvong1995@gmail.com; Mon, 24 Dec 2018 04:36:02 -0500MIME-Version: 1.0X-Mailer: MIME-tools 5.505 (Entity 5.505)X-Loop: help-debbugs@gnu.orgFrom: help-debbugs@gnu.org (GNU bug Tracking System)To: Alex Vong <alexvong1995@gmail.com>Subject: bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)Message-ID: <handler.33783.D33783.15456441447148.notifdone@debbugs.gnu.org>References: <20181224093536.GI2581@macbook41> <87mup31r6o.fsf@gmail.com>X-Gnu-PR-Message: they-closed 33783X-Gnu-PR-Package: guix-patchesX-Gnu-PR-Keywords: security patchReply-To: 33783@debbugs.gnu.orgDate: Mon, 24 Dec 2018 09:36:02 +0000Content-Type: multipart/mixed; boundary="----------=_1545644162-7175-1"
This is a multi-part message in MIME format...
------------=_1545644162-7175-1Content-Disposition: inlineContent-Transfer-Encoding: quoted-printableContent-Type: text/plain; charset="utf-8"
Your bug report
#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].
which was filed against the guix-patches package, has been closed.
The explanation is attached below, along with your original report.If you require more details, please reply to 33783@debbugs.gnu.org.
--=2033783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D33783GNU Bug Tracking SystemContact help-debbugs@gnu.org with problems
------------=_1545644162-7175-1Content-Type: message/rfc822Content-Disposition: inlineContent-Transfer-Encoding: 7bit
Received: (at 33783-done) by debbugs.gnu.org; 24 Dec 2018 09:35:44 +0000Received: from localhost ([127.0.0.1]:34305 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1gbMeG-0001rE-HB for submit@debbugs.gnu.org; Mon, 24 Dec 2018 04:35:44 -0500Received: from flashner.co.il ([178.62.234.194]:40234) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim@flashner.co.il>) id 1gbMeF-0001r2-A2 for 33783-done@debbugs.gnu.org; Mon, 24 Dec 2018 04:35:43 -0500Received: from localhost (unknown [141.226.9.73]) by flashner.co.il (Postfix) with ESMTPSA id 829A7402D5 for <33783-done@debbugs.gnu.org>; Mon, 24 Dec 2018 09:35:37 +0000 (UTC)Date: Mon, 24 Dec 2018 11:35:36 +0200From: Efraim Flashner <efraim@flashner.co.il>To: 33783-done@debbugs.gnu.orgSubject: Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].Message-ID: <20181224093536.GI2581@macbook41>References: <87mup31r6o.fsf@gmail.com>MIME-Version: 1.0Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8tUgZ4IE8L4vmMyh"Content-Disposition: inlineIn-Reply-To: <87mup31r6o.fsf@gmail.com>User-Agent: Mutt/1.11.0 (2018-11-25)X-Spam-Score: -0.0 (/)X-Debbugs-Envelope-To: 33783-doneX-BeenThere: debbugs-submit@debbugs.gnu.orgX-Mailman-Version: 2.1.18Precedence: listList-Id: <debbugs-submit.debbugs.gnu.org>List-Unsubscribe: https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit, <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>List-Archive: https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/List-Post: <mailto:debbugs-submit@debbugs.gnu.org>List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>List-Subscribe: https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit, <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>Errors-To: debbugs-submit-bounces@debbugs.gnu.orgSender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>X-Spam-Score: -1.0 (-)

--8tUgZ4IE8L4vmMyhContent-Type: text/plain; charset=utf-8Content-Disposition: inlineContent-Transfer-Encoding: quoted-printable
Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97
--=20Efraim Flashner <efraim@flashner.co.il> =D7=90=D7=A4=D7=A8=D7=99=D7=9D ==D7=A4=D7=9C=D7=A9=D7=A0=D7=A8GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
--8tUgZ4IE8L4vmMyhContent-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlwgqGcACgkQQarn3Mo9g1EHCQ//cvhKFqruDAP8Y72Gt8cvWC9MeySvEo6eCecl6otoRXPeqgnSu71QJxdds0QIO4dZtvqBSJiP9Y4x5wBBKBUWE4zcAXJpF1S7xRE/YVa2B1FGaQvo/bGiw2PNcPK68SDckMD9v0bKKbn4kHFPckb2R9BXtI7b/rH1kD2CKz2PNmxmeXhhXXqVjuM/REQGzcKSvhY13O/Cnh5UlJe1WeEzrBgKC3fUeDLdTXEoWe0pDFBUbJtRxrBt9zzvG+7bAI1U/umDTJnZmHYPZKJRLNzKpwpl60sRMI4/YmRx6RmPyB81YzN/1pA9plzzBe4IhV4Rxrq7weNhV8J7DM0MbRifsBHLZ2CyEtNRojyzzMz7qiHJjiKUPsut6YybHimMJ40Em5BoSr2z4LNf9fw6oOrSZxUgyRpwtfS9zaWkebfCSgIrm9jY03UWNii+IuUs4lD6z1aEk4iyvXrqzNZ73oA2YEwOkWAcmCdIwNb1TOjS6IhxyMp9vgRQhItmK0S21B9yvX3+GlyL+UY7eTtKoQ/jhT8etWSebJOcL8zvXAxmi+y7GiGO9y/+8oP/fBjtA92CTN97EFhQIya8rlq2OKnltCiKbrokOHfH5+XXfPjdNsb5xH60/GRA2QkBJJjDnuuIGBcq53bbJ34zatGGNUxT7KxfLwilXJJ3ywG0gfXIJwc==ElCV-----END PGP SIGNATURE-----
--8tUgZ4IE8L4vmMyh--

------------=_1545644162-7175-1Content-Type: message/rfc822Content-Disposition: inlineContent-Transfer-Encoding: 7bit
Received: (at submit) by debbugs.gnu.org; 18 Dec 2018 02:54:07 +0000Received: from localhost ([127.0.0.1]:52432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1gZ5WC-0006aA-WF for submit@debbugs.gnu.org; Mon, 17 Dec 2018 21:54:07 -0500Received: from eggs.gnu.org ([208.118.235.92]:52054) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <alexvong1995@gmail.com>) id 1gZ5W6-0006Zt-Tx for submit@debbugs.gnu.org; Mon, 17 Dec 2018 21:53:59 -0500Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <alexvong1995@gmail.com>) id 1gZ5W0-0006nt-8Q for submit@debbugs.gnu.org; Mon, 17 Dec 2018 21:53:49 -0500X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.orgX-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_20, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM autolearn=disabled version=3.3.2Received: from lists.gnu.org ([2001:4830:134:3::11]:35516) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <alexvong1995@gmail.com>) id 1gZ5W0-0006nI-0F for submit@debbugs.gnu.org; Mon, 17 Dec 2018 21:53:48 -0500Received: from eggs.gnu.org ([2001:4830:134:3::10]:33366) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <alexvong1995@gmail.com>) id 1gZ5Vx-0004e7-Ln for guix-patches@gnu.org; Mon, 17 Dec 2018 21:53:47 -0500Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <alexvong1995@gmail.com>) id 1gZ5Vt-0006fV-QO for guix-patches@gnu.org; Mon, 17 Dec 2018 21:53:45 -0500Received: from mail-pl1-x642.google.com ([2607:f8b0:4864:20::642]:45152) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from <alexvong1995@gmail.com>) id 1gZ5Vo-0006Gw-0C for guix-patches@gnu.org; Mon, 17 Dec 2018 21:53:38 -0500Received: by mail-pl1-x642.google.com with SMTP id a14so7080959plm.12 for <guix-patches@gnu.org>; Mon, 17 Dec 2018 18:53:27 -0800 (PST)DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:user-agent:date:message-id:mime-version; bh=QXfZG7uH9/ciK4D1yUPycbWLZdswJGv+rCDritw3954=; b=T15JqgoOGUHQWg+Fwx92Vhja65E0kQ2rh0UR2fBxtfz4yJzOjaCFI11aAxZyMRm8IU du4AzZ0yecb9Vnmy/e8DTnGS2E05NfLzlZFkI6Eu+7R7VIriwLB6YjMkFY2MGdF9NIl+ 0d6nyTKDzbWWZovg5w7qX6GOzxxjmzY1XA9SHIAIgB4g93l91r19bdbqDsjzmvfH6HjA zwtfg1wOPvkPQmwfI5m5b3IT7fe+lekMMnGKUc8Em/QjINgIVdoqo3iX3dKnWm4ur2I5 rcINSOAlNMFkdyYZCaU7MjZ0Ve/BFdp3ZDCbsBeqlY3+JbyU2YwawJao90R7Ko1PsMG6 jVqA==X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:user-agent:date:message-id :mime-version; bh=QXfZG7uH9/ciK4D1yUPycbWLZdswJGv+rCDritw3954=; b=JpCuFrlG07mZGsa2u92cfYyo935urVv6p8ifrZIbQdQaUS7cj6xK/SWS9jsYbRZBeB mfrndCadKsmhW0stnPH1aJcrjgUXEKXTi8JFeLS975oe4ntZtTHPfklofPqWeSgTYCj1 8RsYC5D5bJOxhYEln4iYMkyNxsANBZNPBrDPCDLvw9G/6ZLKw2iC2ibrKMVQy40F61Y0 6nk0Qxg3UwYlbkTuXfphyhy/fW14RTyqvhrMqiA80izOFFPfKXTvzQUiKw/+RgTUen6V ucWyK8wyDbKEd5ydHxbps3WwGkgmuz+HUokjASF22+oLrXL0tGMVdWDDEPPSZ6Z3xIAH M/Pw==X-Gm-Message-State: AA+aEWYfxO8MuxVMldzEfGKye6grEYBjVYSJe5W9rhmFYMEX7nXmJmv5 zukLI1lwsoNxFcgb+r+56uM=X-Google-Smtp-Source: AFSGD/WWbufwxgDzAna8hD4UgD+wGQXV4+wVwsCuPlSIVG02lhpYLfYswUMe0W0Pe7PdJ1wIOz4TjQ==X-Received: by 2002:a17:902:3181:: with SMTP id x1mr14802055plb.58.1545101606989; Mon, 17 Dec 2018 18:53:26 -0800 (PST)Received: from debian (n058152177090.netvigator.com. [58.152.177.90]) by smtp.gmail.com with ESMTPSA id u123sm16592543pfb.1.2018.12.17.18.53.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 17 Dec 2018 18:53:26 -0800 (PST)From: Alex Vong <alexvong1995@gmail.com>To: guix-patches@gnu.orgSubject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)Date: Tue, 18 Dec 2018 10:53:19 +0800Message-ID: <87mup31r6o.fsf@gmail.com>MIME-Version: 1.0Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized.X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.xX-Received-From: 2001:4830:134:3::11X-Spam-Score: -3.8 (---)X-Debbugs-Envelope-To: submitCc: alexvong1995@gmail.comX-BeenThere: debbugs-submit@debbugs.gnu.orgX-Mailman-Version: 2.1.18Precedence: listList-Id: <debbugs-submit.debbugs.gnu.org>List-Unsubscribe: https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit, <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>List-Archive: https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/List-Post: <mailto:debbugs-submit@debbugs.gnu.org>List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>List-Subscribe: https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit, <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>Errors-To: debbugs-submit-bounces@debbugs.gnu.orgSender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>X-Spam-Score: 0.2 (/)
--==-=-=Content-Type: multipart/mixed; boundary="=-=-="
--=-=-=Content-Type: text/plain
Tag: security
Hello,
This patch grafts sqlite to its latest version. It also changes all thesqlite-* packages to use 'package/inherit' so that they get thereplacement as well. See https://bugs.gnu.org/33751 for details.

--=-=-=Content-Type: text/x-diff; charset=utf-8Content-Disposition: inline; filename=0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patchContent-Transfer-Encoding: quoted-printable
From=209d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Tue, 18 Dec 2018 10:36:52 +0800Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].
Fixes https://bugs.gnu.org/33751.Reported by Marius Bakke <mbakke@fastmail.com>.
* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.(sqlite)[replacement]: Use it.(sqlite-with-fts5): Use 'package/inherit'.(sqlite-with-column-metadata): Likewise.=2D-- gnu/packages/databases.scm | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-)
Toggle diff (95 lines)diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scmindex 0fa6d451e..78d9a6739 100644=2D-- a/gnu/packages/databases.scm+++ b/gnu/packages/databases.scm@@ -24,7 +24,7 @@ ;;; Copyright =C2=A9 2017 Adriano Peluso <catonano@gmail.com> ;;; Copyright =C2=A9 2017 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright =C2=A9 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>=2D;;; Copyright =C2=A9 2017 Alex Vong <alexvong1995@gmail.com>+;;; Copyright =C2=A9 2017, 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright =C2=A9 2017, 2018 Ben Woodcroft <donttrustben@gmail.com> ;;; Copyright =C2=A9 2017 Rutger Helling <rhelling@mykolab.com> ;;; Copyright =C2=A9 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>@@ -1183,6 +1183,7 @@ changes.") (define-public sqlite (package (name "sqlite")+ (replacement sqlite-3.26.0) (version "3.24.0") (source (origin (method url-fetch)@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world. T=he source code for SQLite is in the public domain.") (license license:public-domain)))=20+(define-public sqlite-3.26.0+ (package/inherit sqlite+ (version "3.26.0")+ (source (origin+ (method url-fetch)+ (uri (let ((numeric-version+ (match (string-split version #\.)+ ((first-digit other-digits ...)+ (string-append first-digit+ (string-pad-right+ (string-concatenate+ (map (cut string-pad <> 2 #\=0)+ other-digits))+ 6 #\0))))))+ (string-append "https://sqlite.org/2018/sqlite-autoco=nf-"+ numeric-version ".tar.gz")))+ (sha256+ (base32+ "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))=))+ ;; This is used by Tracker. (define-public sqlite-with-fts5=2D (package (inherit sqlite)+ (package/inherit sqlite (name "sqlite-with-fts5") (arguments (substitute-keyword-arguments (package-arguments sqlite)@@ -1230,7 +1251,7 @@ is in the public domain.")=20 ;; This is used by Qt. (define-public sqlite-with-column-metadata=2D (package (inherit sqlite)+ (package/inherit sqlite (name "sqlite-with-column-metadata") (arguments (substitute-keyword-arguments (package-arguments sqlite)=2D-=202.19.2

--=-=-=Content-Type: text/plain

Cheers,Alex
--=-=-=--
--==-=-=Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhhHwAKCRBh71Au9gJS8uQDAP9K/j4Fho5Y0tGj2rPYQLgh2/X4rJ+Ad+xIKAtSja48xAEAyWKJMtJibdKyD55YjKFBOZJ59CTp0rJcPU+WYFdBgQk==sDdb-----END PGP SIGNATURE-------==-=-=--


------------=_1545644162-7175-1--

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXCJy0AAKCRBh71Au9gJS8m2bAQDS+7q1hoDoaclKQDCl/PUTfxLfSIVux7s1VMClhGl03gEAo5rpJ3Sy4ZzeLvvKVlu0iPqzUoe4VXZo3HiNUtAvZQM==Diwx-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 33751@debbugs.gnu.org