sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327

DoneSubmitted by Léo Le Bouter.
Details
3 participants
  • Léo Le Bouter
  • Tobias Geerinckx-Rice
  • Mark H Weaver
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 18 Mar 12:42 +0100
(address . bug-guix@gnu.org)
0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net
According tohttps://www.sqlite.org/versionnumbers.htmlmajor versions of sqlite remain ABI and file format backwardscompatible.
It means we could graft without trouble, 3.32.3 fixes all CVEs, however3.32 introduces a test failure in Python 3.8.2 which is an errorneoustest testing internal sqlite implementation detail (but grafting wontactually re-run this test suite).
See: https://bugs.python.org/issue40784
Otherwise I am still trying to run GNU Guix's own test suite on thisbut it turns out unnecessarily complicated, see https://issues.guix.gnu.org/47230for suggestions on improving thatprocess.
Attached WIP patch.
Thank you!
Léo
From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>Date: Thu, 18 Mar 2021 07:09:10 +0100Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].
* gnu/packages/sqlite.scm (sqlite/fixed): New variable.(sqlite)[replacement]: Graft.--- gnu/packages/sqlite.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
Toggle diff (41 lines)diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scmindex eeb77749d8..cc378b359a 100644--- a/gnu/packages/sqlite.scm+++ b/gnu/packages/sqlite.scm@@ -65,6 +65,7 @@ (sha256 (base32 "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))+ (replacement sqlite/fixed) (build-system gnu-build-system) (inputs `(("readline" ,readline))) (native-inputs (if (hurd-target?)@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world. The source code for SQLite is in the public domain.") (license license:public-domain))) +(define-public sqlite/fixed+ (package/inherit sqlite+ (version "3.32.3")+ (source (origin+ (method url-fetch)+ (uri (let ((numeric-version+ (match (string-split version #\.)+ ((first-digit other-digits ...)+ (string-append first-digit+ (string-pad-right+ (string-concatenate+ (map (cut string-pad <> 2 #\0)+ other-digits))+ 6 #\0))))))+ (string-append "https://sqlite.org/2020/sqlite-autoconf-"+ numeric-version ".tar.gz")))+ (sha256+ (base32+ "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))+ ;; Column metadata support was added to the regular 'sqlite' package with ;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7. (define-public sqlite-with-column-metadata-- 2.31.0
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBTPLMACgkQRaix6GvNEKZJUBAApTFFerO/WLrwpI8WEmTwZT80tKqvjkE/SYquptjGLFtEkIP9Wk3B8P9LZ9Culm0rU6KaRJuCIwVOHH3v7fS+dsedcVK/KRtNjmrnTy5Y7t7Y8WKFqULszpIowkE2RANFyne7QzplhlzJ1JElxFgP5iE/0zc9KaGV+RCrXwLOCZyG+r0BykoTNze6/cNdM4ri/XqfQNGAJyFroS8pDNQoeQuRsRgIQ3NlFOWVqPdEZGtnO8IVnMaVzb1I4m+YHWr55/FjtzJKqqG+QlKi+FeH0qeUHgj26lHuINqZ2HnSQ47QyoD7qcFGcFNP4FaRWiL6vY7oYKyeqoRYZoBp8aOHiIJT7KfC1o+G5fTTwMPzYF7Ri7M0EeINM6i+vjZ292QnBRcBUuUfAB0EXCtcWXKJY5UEUrO8A4fYHbBAXxWRwsTfEvrAnbjoosGHYBfsWWhQ64fR56yqJF/AKHYwGz9sF+agr+FNzsuUwn5hE1LFUurUbMrTDVQr0/U7U5kUlX6zuJLiTKHGZd/C2iDagLLgBL6H11twW0fHNKlZ3NGkInWO7vJpwyXerJKEyLy9THvETa/6/FBvdwOgt7gS7kxsTUHJva0YNNhgA6g+pp0eJsn8VXTMelHRIC8PPDc+WFdxAJu/cCEedraRPvDeP9CoWpm33NPl+i9OE14u2w3Tz84==qiPe-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 19 Mar 11:30 +0100
(address . control@debbugs.gnu.org)
e09ecd15bacb52d3c8441c1f6f8cb42329efc496.camel@zaclys.net
tags 47231 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfS0ACgkQRaix6GvNEKbGJg/7Be3+vtiRghdemNxnMas7ZTqenbF2En6k9Qpi2tZVoPRp3TV92Mjv0MHd8wE2MB8dqV2D9aFZjrMBUjApzAw70kdE3QyONCR5k1XUjjwlXuoVmOKQHn+QYhgxoZu5RSuxhrRFezxWIqDYDa5thAgPGt/sJPNwm1fV5AfvrCWxTfgg538nwGLvgTDFc0N+oYB5L8d8iCgztAGxzQe4KnVCTULJGkqwlakmHpiQ7877NZwGFLP/c6Aehs2eOFMLBICMVl5k7+jGYKaa+o+GQlRzKqTGYKOhxtpgyweKf/5u7Klh0KMnipOvN0Gc9DMLEqbfp3W2LFGyhTX6Y+cwudYaGyw2mrV99h10DwOdySELy/invYD6EEfm+U21BWiq+Le1lU6NZFViUCouuRJcpdgREpnc1Vo4pIA/b6xstUKv/hpCfMJO09I6tSVDKxMTLR+3Ww5GPVq+zYzlUEgrmkCTGPcbcazcdT7tPvLYhkuf9FN727OwqYkqBUJGX0k1nr2YV2VJux5I0pdCOBF3CVC2rkudpT1tFQ/zvy+Q9YE1W1iStUp3E0U4hgDkgrY5MwGPQXpSwZdtNe8b2OvRCnrZl+6gpVG4kxggG/BF9n7qLY4ikvUGUoDpbRoIDGzQN9jP9gTujz7bBK/4l4EnKguw2rj+vcitY+iUsC0+AdgRH58==wvGS-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 24 Mar 00:37 +0100
(address . 47231@debbugs.gnu.org)
e38a431d1fe6bd5b2a79746b04497cc3fec49c59.camel@zaclys.net
One more:
CVE-2021-20227 23.03.21 18:15A flaw was found in SQLite's SELECT query functionality (src/select.c).This flaw allows an attacker who is capable of running SQL querieslocally on the SQLite database to cause a denial of service or possiblecode execution by triggering a use-after-free. The highest threat fromthis vulnerability is to system availability.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBae5wACgkQRaix6GvNEKZHSxAAspoVdkYpeZNVl/kQXjuZ6EVCb9IeS1oIDvwJaeH+CGZ8uX9KxxQhum6UJmLx/UpZTWt30L4WobFdvVmyKFQqYu+o8BTRdq4O4EoimHgtFDb2+MJQHywf2GmHAEu4HMLcD+5Z3T5ejSs2OW6O0c8l6nunQ1wFGU7LEhCnC/P5+dh6dLF5Q3oCy74xvbgdniF1zXWNQ5M1dL5AkDonERIg8AWKZFfGbDqOx2Sd5sdsEBnO1MWrlAUp2w+VskyPlJJSTpJo/MmajSIjCCnokGX8c0wIyMPWj8VIx72B7uamibvxZzYWfpab4IAB0929b8vzyTuiFB+UyKHlQEthqVVTZWUURGU/LraLKQ2G91ocOyfZAOvsOJcwbJk36UvfgsfR00qfPb5lOXW2roxmvng68/OIXGbHvsV5pNTclkAvFOlajvtr5k6MrQmxsPXOfw8Ir8iRRQGydD1OaocD2y60O9Mi0vYhvCDzAIeCweAwFU7bKiDbmTKgXb47owZnfiWAbfl1ZI0aO63pqiWKl3ErFPuYzuEIWw91hydEhnWIAGMV0ytalKEsqvEAMNt4dfeoD+5uX8RIIqKKehuf70VgBAN9v0T3bl5YOTgO38gTAyKvJ4ux2XgCYWFbH98W0M0BaJlGgG/DAeNKeiKmU1RhFPhGpzxvCoMA88jcsRC34HU==oyEc-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 24 Mar 23:54 +0100
(address . 47231@debbugs.gnu.org)
b8543b82478ccf61691186795f331f6ff9679862.camel@zaclys.net
I could test the graft with GNU Guix's test suite by manually replacingthe sqlite input with sqlite/fixed like so:
Toggle diff (22 lines)diff --git a/gnu/packages/package-management.scmb/gnu/packages/package-management.scmindex 888f54322d..70f5c2dad3 100644--- a/gnu/packages/package-management.scm+++ b/gnu/packages/package-management.scm@@ -389,7 +389,7 @@ $(prefix)/etc/init.d\n"))) (inputs `(("bzip2" ,bzip2) ("gzip" ,gzip)- ("sqlite" ,sqlite)+ ("sqlite" ,sqlite/fixed) ("libgcrypt" ,libgcrypt) ("guile" ,guile-3.0-latest)
It worked fine.
Is that enough of a test to graft in master?
Let me know and I will push.
Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBbwzwACgkQRaix6GvNEKZCfw/9GIy7enKa+oQVirZReSLUKcBeaRY7nK6bl6WsWq+nZCtpvh4HSWZL2ESCc7nJW1M9zI7pY8oSkZ1ztKa27UUvXaMh3G7q7Yzt9twQmLqVta2oeeIYMfiyuR5u4pL3Kvjmx4Efv2svjKxRJoNoC4n+FusHChErMEz0ALkx4XHWi2mBTRj9deaeRZ0B006DJ/7/2KuoKyitzDaYrw9a8o0VDrv6eXc/1g/p+5ue2nCzoyMTnDqGrSTgO7XwndqLhI9rn6Dn/s0GDm3IIqSMDKZ1zFOxSwpoxf/xOWNzZKFpKHkbnW2UxJI0JdOWxr9UbIm/MLOweTOUH1D/KKwFG24lDn+TvlOT4sIz8XEvtA/os+j0ohbzocGP7YnhcVCLPDW4NU61cbawwFgHWtkbOs7O4TwDz/DCOSynS38vWfUsEvJvTtdGfTm6IjXCbAp49Ua8zrlcV7FPXQKuCrMDBPT6csa+cHgmCcOlnIt7EhMmKrXuTEoxj9DiMwxsf+lhChZDGu3aALAW8mPLOwxw5wUM5GZ0sNn+Rf6nmx0FP3gj7FXWkuGkRxz3lnIXkxaP9uE285lunYJ98bRSfVI2+NO0203YAyOwFYDqym+1PuG/kqw+Isafb3GsIsC/S6wPvoiEVnfWC+3Z2plKezj7rbdrR6FriaMQH53RvjLwD3+fYMc==izmd-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 25 Mar 12:27 +0100
87y2ebh3rz.fsf@nckx
Thanks!
I'm currently rebuilding IceCat with this change as an extra precaution, but that shouldn't take long. If that doesn't cause problems this LGTM for master.
Ludo', do you think the Guix test described here is a good one?
Kind regards,
T G-R
T
T
Tobias Geerinckx-Rice wrote on 25 Mar 16:56 +0100
87lfabgrcf.fsf@nckx
Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
Toggle quote (4 lines)> I'm currently rebuilding IceCat with this change as an extra> precaution, but that shouldn't take long. If that doesn't cause > problems this LGTM for master.
OK, it worked, old IceCat writes new SQlite files.
Kind regards,
T G-R
M
M
Mark H Weaver wrote on 26 Mar 02:23 +0100
878s6ar9ko.fsf@netris.org
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
Toggle quote (30 lines)> From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001> From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>> Date: Thu, 18 Mar 2021 07:09:10 +0100> Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].>> * gnu/packages/sqlite.scm (sqlite/fixed): New variable.> (sqlite)[replacement]: Graft.> ---> gnu/packages/sqlite.scm | 21 +++++++++++++++++++++> 1 file changed, 21 insertions(+)>> diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm> index eeb77749d8..cc378b359a 100644> --- a/gnu/packages/sqlite.scm> +++ b/gnu/packages/sqlite.scm> @@ -65,6 +65,7 @@> (sha256> (base32> "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))> + (replacement sqlite/fixed)> (build-system gnu-build-system)> (inputs `(("readline" ,readline)))> (native-inputs (if (hurd-target?)> @@ -122,6 +123,26 @@ widely deployed SQL database engine in the world. The source code for SQLite> is in the public domain.")> (license license:public-domain)))> > +(define-public sqlite/fixed> + (package/inherit sqlite
Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' should*not* use 'package/inherit', since the package you're defining is thereplacement for the package you're inheriting from.
Otherwise, it looks good to me!
Thanks, Mark
L
L
Léo Le Bouter wrote on 26 Mar 02:36 +0100
318a4b5eed01580d377cc8199a4bfb0db30b5eeb.camel@zaclys.net
On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
Toggle quote (11 lines)> > Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'> should> *not* use 'package/inherit', since the package you're defining is the> replacement for the package you're inheriting from.> > Otherwise, it looks good to me!> > Thanks,> Mark
Adapted, wasnt sure what package/inherit was for exactly.
Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
Toggle quote (10 lines)> > I'm currently rebuilding IceCat with this change as an extra> > precaution, but that shouldn't take long. If that doesn't cause > > problems this LGTM for master.> > OK, it worked, old IceCat writes new SQlite files.> > Kind regards,> > T G-R
Thank you both for the review!
Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBdOpAACgkQRaix6GvNEKa/Ww/+KE56ZH8cX2Q8rIJ3PHtHE3+CescwipGpKjTPJNF1eUag0vKsivRZe0pVJVqR6a04Zk8rGk5UWCKpLIH8a29ciw3RBGuWMgDiVzT3MOi19NxF64ofoWxxjr1Mb1C3wp9AJDCUwmowOgOSO0fB/aII6hXn0ny4UMSC05ScSizpQMnM5b+UXXWRM82KYtNxUcjvDGMW/CwU15hQzvKtJpAH/19MI6TtRIEEqkZZshqDoO70nbC9MmLVy8R6F/EzNZK0SbhhHf/OCc7drIOoBw2+zuZ1hcPgA4oT7qGU5ohRNVycILj4RWDvIhp55nHC2N3lWojfEAvkO4pi1+oR9AyiPEITwg20gSerpjsFvMJOOAHQljlUTjwE+qDaSvO6Isu9SzkaFWcOZOJ2sd+TnxqCb6JrZfObtzc5MnQ9RZ8ReeadfA5GqH3KA07k5dUoF5Go6KK5zuxRB9qAqwXErps1CJx5pLgbGQRsDP5Sdo1WT0+0tDcbBmC/oVtf3XCaW8B85IN0vGlZCQnMcsClgSWGiqXqnw2u/k2Jas83v/gEgP9ZvUI3rMXHnPlt7dKAvOzV3KBikRGrBW7A2qBmOToQyNeN/TEwEGLIezGQskq8c9TyMH+PDS02taOnpeMXf29nXqyo4oulqABfXc+xoukbfCZAJuaKfhpj40ULTCj+EgM==SIkP-----END PGP SIGNATURE-----

Closed
?