SQLite "Magellan" vulnerability

  • Done
  • quality assurance status badge
Details
5 participants
  • Alex Vong
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 15 Dec 2018 01:18
(address . bug-guix@gnu.org)
87r2ejve09.fsf@fastmail.com
Hello!

There is allegedly a remote code execution bug in all versions of SQLite

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

1 Added function symbol not referenced by debug info:

sqlite3_create_window_function

...but I have not tested this. It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a. Can we start this on
Berlin concurrently? Patches attached.
From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
---
gnu/packages/databases.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
(define-public sqlite
(package
(name "sqlite")
- (version "3.24.0")
+ (version "3.26.0")
(source (origin
(method url-fetch)
(uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
numeric-version ".tar.gz")))
(sha256
(base32
- "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+ "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
(build-system gnu-build-system)
(inputs `(("readline" ,readline)))
(arguments
--
2.20.0
From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.
[outputs]: New field.
---
gnu/packages/databases.scm | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)

Toggle diff (30 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
;; to use the system SQLite unless these options are enabled.
(list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
"-DSQLITE_ENABLE_UNLOCK_NOTIFY "
- "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+ "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+ #:phases (modify-phases %standard-phases
+ (add-after 'install 'move-static-library
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out"))
+ (static (assoc-ref outputs "static")))
+ (mkdir-p (string-append static "/lib"))
+ (rename-file (string-append out "/lib/libsqlite3.a")
+ (string-append static "/lib/libsqlite3.a"))
+ ;; Remove reference to the static library from the .la file
+ ;; so Libtool does the right thing when both the shared and
+ ;; static library is available.
+ (substitute* (string-append out "/lib/libsqlite3.la")
+ (("^old_library='libsqlite3.a'") "old_library=''"))
+ #t))))))
+ (outputs '("out" "static"))
(home-page "https://www.sqlite.org/")
(synopsis "The SQLite database management system")
(description
--
2.20.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUSFYACgkQoqBt8qM6
VPo+Pwf/ThaiyhJbpIPadBW8yM3JQm1e1JiLlcZkjrly1oDPX4hn6Je1AGnlu41Q
Tvjrwmv2QrN6T6HgP1n1e6AOvJs9FoskelfB1xfXkeaIdPj28toQPU4zwr/KbS8j
NxT4P0FJX+a5demGhu9rPvhO1Lz48oA186LQEXieWCFTgiXk5JS3CssqUUbUaJi1
BEiLfTYozP/ugJCMIud+lx6AkyfXgH/mqLi3Y0yfoctPgcqg7lYeHesdneqfgCsd
qjj3hwYGdbz/q2uhZTcfqdJ+P0StIuGIZTtrCvl8D2+ESD1ph8mBRxsOaTyNnj+0
OwDRlJjkHrAIqY9Vg/KdU04VRIF50g==
=kx1u
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 15 Dec 2018 02:51
(address . 33751@debbugs.gnu.org)
87o99nv9pa.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (24 lines)
> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 1 Added function symbol not referenced by debug info:
>
> sqlite3_create_window_function
>
> ...but I have not tested this. It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a. Can we start this on
> Berlin concurrently? Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time? Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUXiIACgkQoqBt8qM6
VPqxoAf/TQpANxhNmV8Jzt6LqfODQ4TUt0WcI3GOFPQ9rTcSVMtyQZABzPKtc2d0
9E2S+4libYfWTeQk3cgiWb+OZiveVoFPQHG7LZxfhyY3yHxHU2LDha2AOluFWk7Q
uibst4jPfBkQFLYh47EZuTvXCa6rv1oZ41RGH4NklyXTRJiHauLfS7s+OkGenxmQ
CdETtTjqUbclzSzKpT8Q71MMn6584opMXUv8tf9uOfr2o2EPT8PbWBLviiDbdkRI
4rzDBVijaPh3T+9OBoraNycj7A4HdINOG0aQ2dVhYUREJGzSw2S7Uk+YJ+gw4UA/
q7mHzKv2DDjUnEExUVwFGWA8zLQhDg==
=Pmy5
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 15 Dec 2018 11:47
Re: bug#33751: SQLite "Magellan" vulnerability
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 33751@debbugs.gnu.org)
87woobvzh0.fsf@elephly.net
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (31 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Hello!
>>
>> There is allegedly a remote code execution bug in all versions of SQLite
>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>>
>> I think it is safe to graft 3.26.0 in-place:
>>
>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
>> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
>> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
>> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>>
>> 1 Added function symbol not referenced by debug info:
>>
>> sqlite3_create_window_function
>>
>> ...but I have not tested this. It's difficult to tell which patches to
>> apply without knowing more details of the vulnerability.
>>
>> I am currently building a branch that adds a "static" output for
>> SQLite in order to catch users of libsqlite3.a. Can we start this on
>> Berlin concurrently? Patches attached.
>
> Perhaps it's better to start over 'staging' with the new SQLite in the
> mean time? Hydra didn't get too far yet.
>
> It does not add a lot to the current rebuild count.

Sounds good to me. Thank you!

--
Ricardo
M
M
Mark H Weaver wrote on 17 Dec 2018 20:04
Re: [SECURITY] Which packages bundle sqlite?
(name . Alex Vong)(address . alexvong1995@gmail.com)
87y38ovut0.fsf@netris.org
Hi Alex,

This issue is being tracked at https://bugs.gnu.org/33751,
so it would be best to send followups regarding this issue to
<33751@debbugs.gnu.org>.

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (3 lines)
> I also want to know should we graft in this case since updating sqlite
> would cause ~4000s rebuilts.

Yes, it should be grafted.

Toggle quote (4 lines)
> Besides, how to deal with packages that
> inherit sqlite when grafting?
> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)

These should be changed to use the 'package/inherit' macro.

Thanks for working on it!

Mark
L
L
Ludovic Courtès wrote on 17 Dec 2018 23:04
control message for bug #33751
(address . control@debbugs.gnu.org)
87d0pz24jx.fsf@gnu.org
tags 33751 security
A
A
Alex Vong wrote on 18 Dec 2018 04:07
Re: [SECURITY] Which packages bundle sqlite?
(name . Mark H Weaver)(address . mhw@netris.org)
87bm5j1qj7.fsf@gmail.com
Hi Mark,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (6 lines)
> Hi Alex,
>
> This issue is being tracked at <https://bugs.gnu.org/33751>,
> so it would be best to send followups regarding this issue to
> <33751@debbugs.gnu.org>.
>
Thanks for pointing me to the right place. I checked guix-patches but
not guix...

Toggle quote (13 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> I also want to know should we graft in this case since updating sqlite
>> would cause ~4000s rebuilts.
>
> Yes, it should be grafted.
>
>> Besides, how to deal with packages that
>> inherit sqlite when grafting?
>> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)
>
> These should be changed to use the 'package/inherit' macro.
>
Toggle quote (4 lines)
> Thanks for working on it!
>
> Mark

Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhkbAAKCRBh71Au9gJS
8jONAQD2AsJ6Fuj6thOnyo45WWhvmkBx/eUVguqWoc7a3XzrEQD+IwpRkEHPN6a8
cUVxfAJA9sGbch7+YFWHOnjmfpQtpA4=
=83Iz
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 25 Dec 2018 19:11
[GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)
(address . 33751-done@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87pntppjcf.fsf@gmail.com
Closing as patch was appied
Attachment: file
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXCJy0AAKCRBh71Au9gJS
8m2bAQDS+7q1hoDoaclKQDCl/PUTfxLfSIVux7s1VMClhGl03gEAo5rpJ3Sy4Zze
LvvKVlu0iPqzUoe4VXZo3HiNUtAvZQM=
=Diwx
-----END PGP SIGNATURE-----

Closed
?