SQLite "Magellan" vulnerability

  • Done
  • quality assurance status badge
Details
5 participants
  • Alex Vong
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 15 Dec 2018 01:18
(address . bug-guix@gnu.org)
87r2ejve09.fsf@fastmail.com
Hello!

There is allegedly a remote code execution bug in all versions of SQLite

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

1 Added function symbol not referenced by debug info:

sqlite3_create_window_function

...but I have not tested this. It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a. Can we start this on
Berlin concurrently? Patches attached.
From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
---
gnu/packages/databases.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
(define-public sqlite
(package
(name "sqlite")
- (version "3.24.0")
+ (version "3.26.0")
(source (origin
(method url-fetch)
(uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
numeric-version ".tar.gz")))
(sha256
(base32
- "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+ "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
(build-system gnu-build-system)
(inputs `(("readline" ,readline)))
(arguments
--
2.20.0
From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.
[outputs]: New field.
---
gnu/packages/databases.scm | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)

Toggle diff (30 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
;; to use the system SQLite unless these options are enabled.
(list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
"-DSQLITE_ENABLE_UNLOCK_NOTIFY "
- "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+ "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+ #:phases (modify-phases %standard-phases
+ (add-after 'install 'move-static-library
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out"))
+ (static (assoc-ref outputs "static")))
+ (mkdir-p (string-append static "/lib"))
+ (rename-file (string-append out "/lib/libsqlite3.a")
+ (string-append static "/lib/libsqlite3.a"))
+ ;; Remove reference to the static library from the .la file
+ ;; so Libtool does the right thing when both the shared and
+ ;; static library is available.
+ (substitute* (string-append out "/lib/libsqlite3.la")
+ (("^old_library='libsqlite3.a'") "old_library=''"))
+ #t))))))
+ (outputs '("out" "static"))
(home-page "https://www.sqlite.org/")
(synopsis "The SQLite database management system")
(description
--
2.20.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUSFYACgkQoqBt8qM6
VPo+Pwf/ThaiyhJbpIPadBW8yM3JQm1e1JiLlcZkjrly1oDPX4hn6Je1AGnlu41Q
Tvjrwmv2QrN6T6HgP1n1e6AOvJs9FoskelfB1xfXkeaIdPj28toQPU4zwr/KbS8j
NxT4P0FJX+a5demGhu9rPvhO1Lz48oA186LQEXieWCFTgiXk5JS3CssqUUbUaJi1
BEiLfTYozP/ugJCMIud+lx6AkyfXgH/mqLi3Y0yfoctPgcqg7lYeHesdneqfgCsd
qjj3hwYGdbz/q2uhZTcfqdJ+P0StIuGIZTtrCvl8D2+ESD1ph8mBRxsOaTyNnj+0
OwDRlJjkHrAIqY9Vg/KdU04VRIF50g==
=kx1u
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 15 Dec 2018 02:51
(address . 33751@debbugs.gnu.org)
87o99nv9pa.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (24 lines)
> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 1 Added function symbol not referenced by debug info:
>
> sqlite3_create_window_function
>
> ...but I have not tested this. It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a. Can we start this on
> Berlin concurrently? Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time? Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUXiIACgkQoqBt8qM6
VPqxoAf/TQpANxhNmV8Jzt6LqfODQ4TUt0WcI3GOFPQ9rTcSVMtyQZABzPKtc2d0
9E2S+4libYfWTeQk3cgiWb+OZiveVoFPQHG7LZxfhyY3yHxHU2LDha2AOluFWk7Q
uibst4jPfBkQFLYh47EZuTvXCa6rv1oZ41RGH4NklyXTRJiHauLfS7s+OkGenxmQ
CdETtTjqUbclzSzKpT8Q71MMn6584opMXUv8tf9uOfr2o2EPT8PbWBLviiDbdkRI
4rzDBVijaPh3T+9OBoraNycj7A4HdINOG0aQ2dVhYUREJGzSw2S7Uk+YJ+gw4UA/
q7mHzKv2DDjUnEExUVwFGWA8zLQhDg==
=Pmy5
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 15 Dec 2018 11:47
Re: bug#33751: SQLite "Magellan" vulnerability
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 33751@debbugs.gnu.org)
87woobvzh0.fsf@elephly.net
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (31 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Hello!
>>
>> There is allegedly a remote code execution bug in all versions of SQLite
>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>>
>> I think it is safe to graft 3.26.0 in-place:
>>
>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
>> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
>> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
>> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>>
>> 1 Added function symbol not referenced by debug info:
>>
>> sqlite3_create_window_function
>>
>> ...but I have not tested this. It's difficult to tell which patches to
>> apply without knowing more details of the vulnerability.
>>
>> I am currently building a branch that adds a "static" output for
>> SQLite in order to catch users of libsqlite3.a. Can we start this on
>> Berlin concurrently? Patches attached.
>
> Perhaps it's better to start over 'staging' with the new SQLite in the
> mean time? Hydra didn't get too far yet.
>
> It does not add a lot to the current rebuild count.

Sounds good to me. Thank you!

--
Ricardo
M
M
Mark H Weaver wrote on 17 Dec 2018 20:04
Re: [SECURITY] Which packages bundle sqlite?
(name . Alex Vong)(address . alexvong1995@gmail.com)
87y38ovut0.fsf@netris.org
Hi Alex,

This issue is being tracked at https://bugs.gnu.org/33751,
so it would be best to send followups regarding this issue to
<33751@debbugs.gnu.org>.

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (3 lines)
> I also want to know should we graft in this case since updating sqlite
> would cause ~4000s rebuilts.

Yes, it should be grafted.

Toggle quote (4 lines)
> Besides, how to deal with packages that
> inherit sqlite when grafting?
> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)

These should be changed to use the 'package/inherit' macro.

Thanks for working on it!

Mark
L
L
Ludovic Courtès wrote on 17 Dec 2018 23:04
control message for bug #33751
(address . control@debbugs.gnu.org)
87d0pz24jx.fsf@gnu.org
tags 33751 security
A
A
Alex Vong wrote on 18 Dec 2018 04:07
Re: [SECURITY] Which packages bundle sqlite?
(name . Mark H Weaver)(address . mhw@netris.org)
87bm5j1qj7.fsf@gmail.com
Hi Mark,

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (6 lines)
> Hi Alex,
>
> This issue is being tracked at <https://bugs.gnu.org/33751>,
> so it would be best to send followups regarding this issue to
> <33751@debbugs.gnu.org>.
>
Thanks for pointing me to the right place. I checked guix-patches but
not guix...

Toggle quote (13 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> I also want to know should we graft in this case since updating sqlite
>> would cause ~4000s rebuilts.
>
> Yes, it should be grafted.
>
>> Besides, how to deal with packages that
>> inherit sqlite when grafting?
>> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)
>
> These should be changed to use the 'package/inherit' macro.
>
I sent the patch to

Toggle quote (4 lines)
> Thanks for working on it!
>
> Mark

Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhkbAAKCRBh71Au9gJS
8jONAQD2AsJ6Fuj6thOnyo45WWhvmkBx/eUVguqWoc7a3XzrEQD+IwpRkEHPN6a8
cUVxfAJA9sGbch7+YFWHOnjmfpQtpA4=
=83Iz
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 25 Dec 2018 19:11
[GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)
(address . 33751-done@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87pntppjcf.fsf@gmail.com
Closing as patch was appied
Attachment: file
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXCJy0AAKCRBh71Au9gJS
8m2bAQDS+7q1hoDoaclKQDCl/PUTfxLfSIVux7s1VMClhGl03gEAo5rpJ3Sy4Zze
LvvKVlu0iPqzUoe4VXZo3HiNUtAvZQM=
=Diwx
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33751@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33751
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch