sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327

DoneSubmitted by Léo Le Bouter.
Details
3 participants
  • Léo Le Bouter
  • Tobias Geerinckx-Rice
  • Mark H Weaver
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 18 Mar 2021 12:42
(address . bug-guix@gnu.org)
0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net
According to
https://www.sqlite.org/versionnumbers.htmlmajor versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).


Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see
https://issues.guix.gnu.org/47230for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo
From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Thu, 18 Mar 2021 07:09:10 +0100
Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].

* gnu/packages/sqlite.scm (sqlite/fixed): New variable.
(sqlite)[replacement]: Graft.
---
gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

Toggle diff (41 lines)
diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
index eeb77749d8..cc378b359a 100644
--- a/gnu/packages/sqlite.scm
+++ b/gnu/packages/sqlite.scm
@@ -65,6 +65,7 @@
             (sha256
              (base32
               "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
+   (replacement sqlite/fixed)
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (native-inputs (if (hurd-target?)
@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite/fixed
+  (package/inherit sqlite
+    (version "3.32.3")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2020/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))
+
 ;; Column metadata support was added to the regular 'sqlite' package with
 ;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7.
 (define-public sqlite-with-column-metadata
-- 
2.31.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBTPLMACgkQRaix6GvN
EKZJUBAApTFFerO/WLrwpI8WEmTwZT80tKqvjkE/SYquptjGLFtEkIP9Wk3B8P9L
Z9Culm0rU6KaRJuCIwVOHH3v7fS+dsedcVK/KRtNjmrnTy5Y7t7Y8WKFqULszpIo
wkE2RANFyne7QzplhlzJ1JElxFgP5iE/0zc9KaGV+RCrXwLOCZyG+r0BykoTNze6
/cNdM4ri/XqfQNGAJyFroS8pDNQoeQuRsRgIQ3NlFOWVqPdEZGtnO8IVnMaVzb1I
4m+YHWr55/FjtzJKqqG+QlKi+FeH0qeUHgj26lHuINqZ2HnSQ47QyoD7qcFGcFNP
4FaRWiL6vY7oYKyeqoRYZoBp8aOHiIJT7KfC1o+G5fTTwMPzYF7Ri7M0EeINM6i+
vjZ292QnBRcBUuUfAB0EXCtcWXKJY5UEUrO8A4fYHbBAXxWRwsTfEvrAnbjoosGH
YBfsWWhQ64fR56yqJF/AKHYwGz9sF+agr+FNzsuUwn5hE1LFUurUbMrTDVQr0/U7
U5kUlX6zuJLiTKHGZd/C2iDagLLgBL6H11twW0fHNKlZ3NGkInWO7vJpwyXerJKE
yLy9THvETa/6/FBvdwOgt7gS7kxsTUHJva0YNNhgA6g+pp0eJsn8VXTMelHRIC8P
PDc+WFdxAJu/cCEedraRPvDeP9CoWpm33NPl+i9OE14u2w3Tz84=
=qiPe
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 19 Mar 2021 11:30
(address . control@debbugs.gnu.org)
e09ecd15bacb52d3c8441c1f6f8cb42329efc496.camel@zaclys.net
tags 47231 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfS0ACgkQRaix6GvN
EKbGJg/7Be3+vtiRghdemNxnMas7ZTqenbF2En6k9Qpi2tZVoPRp3TV92Mjv0MHd
8wE2MB8dqV2D9aFZjrMBUjApzAw70kdE3QyONCR5k1XUjjwlXuoVmOKQHn+QYhgx
oZu5RSuxhrRFezxWIqDYDa5thAgPGt/sJPNwm1fV5AfvrCWxTfgg538nwGLvgTDF
c0N+oYB5L8d8iCgztAGxzQe4KnVCTULJGkqwlakmHpiQ7877NZwGFLP/c6Aehs2e
OFMLBICMVl5k7+jGYKaa+o+GQlRzKqTGYKOhxtpgyweKf/5u7Klh0KMnipOvN0Gc
9DMLEqbfp3W2LFGyhTX6Y+cwudYaGyw2mrV99h10DwOdySELy/invYD6EEfm+U21
BWiq+Le1lU6NZFViUCouuRJcpdgREpnc1Vo4pIA/b6xstUKv/hpCfMJO09I6tSVD
KxMTLR+3Ww5GPVq+zYzlUEgrmkCTGPcbcazcdT7tPvLYhkuf9FN727OwqYkqBUJG
X0k1nr2YV2VJux5I0pdCOBF3CVC2rkudpT1tFQ/zvy+Q9YE1W1iStUp3E0U4hgDk
grY5MwGPQXpSwZdtNe8b2OvRCnrZl+6gpVG4kxggG/BF9n7qLY4ikvUGUoDpbRoI
DGzQN9jP9gTujz7bBK/4l4EnKguw2rj+vcitY+iUsC0+AdgRH58=
=wvGS
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 24 Mar 2021 00:37
(address . 47231@debbugs.gnu.org)
e38a431d1fe6bd5b2a79746b04497cc3fec49c59.camel@zaclys.net
One more:

CVE-2021-20227 23.03.21 18:15
A flaw was found in SQLite's SELECT query functionality (src/select.c).
This flaw allows an attacker who is capable of running SQL queries
locally on the SQLite database to cause a denial of service or possible
code execution by triggering a use-after-free. The highest threat from
this vulnerability is to system availability.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBae5wACgkQRaix6GvN
EKZHSxAAspoVdkYpeZNVl/kQXjuZ6EVCb9IeS1oIDvwJaeH+CGZ8uX9KxxQhum6U
JmLx/UpZTWt30L4WobFdvVmyKFQqYu+o8BTRdq4O4EoimHgtFDb2+MJQHywf2GmH
AEu4HMLcD+5Z3T5ejSs2OW6O0c8l6nunQ1wFGU7LEhCnC/P5+dh6dLF5Q3oCy74x
vbgdniF1zXWNQ5M1dL5AkDonERIg8AWKZFfGbDqOx2Sd5sdsEBnO1MWrlAUp2w+V
skyPlJJSTpJo/MmajSIjCCnokGX8c0wIyMPWj8VIx72B7uamibvxZzYWfpab4IAB
0929b8vzyTuiFB+UyKHlQEthqVVTZWUURGU/LraLKQ2G91ocOyfZAOvsOJcwbJk3
6UvfgsfR00qfPb5lOXW2roxmvng68/OIXGbHvsV5pNTclkAvFOlajvtr5k6MrQmx
sPXOfw8Ir8iRRQGydD1OaocD2y60O9Mi0vYhvCDzAIeCweAwFU7bKiDbmTKgXb47
owZnfiWAbfl1ZI0aO63pqiWKl3ErFPuYzuEIWw91hydEhnWIAGMV0ytalKEsqvEA
MNt4dfeoD+5uX8RIIqKKehuf70VgBAN9v0T3bl5YOTgO38gTAyKvJ4ux2XgCYWFb
H98W0M0BaJlGgG/DAeNKeiKmU1RhFPhGpzxvCoMA88jcsRC34HU=
=oyEc
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 24 Mar 2021 23:54
(address . 47231@debbugs.gnu.org)
b8543b82478ccf61691186795f331f6ff9679862.camel@zaclys.net
I could test the graft with GNU Guix's test suite by manually replacing
the sqlite input with sqlite/fixed like so:

Toggle diff (22 lines)
diff --git a/gnu/packages/package-management.scm
b/gnu/packages/package-management.scm
index 888f54322d..70f5c2dad3 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -389,7 +389,7 @@ $(prefix)/etc/init.d\n")))
       (inputs
        `(("bzip2" ,bzip2)
          ("gzip" ,gzip)
-         ("sqlite" ,sqlite)
+         ("sqlite" ,sqlite/fixed)
          ("libgcrypt" ,libgcrypt)
 
          ("guile" ,guile-3.0-latest)

It worked fine.

Is that enough of a test to graft in master?

Let me know and I will push.

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBbwzwACgkQRaix6GvN
EKZCfw/9GIy7enKa+oQVirZReSLUKcBeaRY7nK6bl6WsWq+nZCtpvh4HSWZL2ESC
c7nJW1M9zI7pY8oSkZ1ztKa27UUvXaMh3G7q7Yzt9twQmLqVta2oeeIYMfiyuR5u
4pL3Kvjmx4Efv2svjKxRJoNoC4n+FusHChErMEz0ALkx4XHWi2mBTRj9deaeRZ0B
006DJ/7/2KuoKyitzDaYrw9a8o0VDrv6eXc/1g/p+5ue2nCzoyMTnDqGrSTgO7Xw
ndqLhI9rn6Dn/s0GDm3IIqSMDKZ1zFOxSwpoxf/xOWNzZKFpKHkbnW2UxJI0JdOW
xr9UbIm/MLOweTOUH1D/KKwFG24lDn+TvlOT4sIz8XEvtA/os+j0ohbzocGP7Ynh
cVCLPDW4NU61cbawwFgHWtkbOs7O4TwDz/DCOSynS38vWfUsEvJvTtdGfTm6IjXC
bAp49Ua8zrlcV7FPXQKuCrMDBPT6csa+cHgmCcOlnIt7EhMmKrXuTEoxj9DiMwxs
f+lhChZDGu3aALAW8mPLOwxw5wUM5GZ0sNn+Rf6nmx0FP3gj7FXWkuGkRxz3lnIX
kxaP9uE285lunYJ98bRSfVI2+NO0203YAyOwFYDqym+1PuG/kqw+Isafb3GsIsC/
S6wPvoiEVnfWC+3Z2plKezj7rbdrR6FriaMQH53RvjLwD3+fYMc=
=izmd
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 25 Mar 2021 12:27
87y2ebh3rz.fsf@nckx
Thanks!

I'm currently rebuilding IceCat with this change as an extra
precaution, but that shouldn't take long. If that doesn't cause
problems this LGTM for master.

Ludo', do you think the Guix test described here is a good one?

Kind regards,

T G-R
T
T
Tobias Geerinckx-Rice wrote on 25 Mar 2021 16:56
87lfabgrcf.fsf@nckx
Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
Toggle quote (4 lines)
> I'm currently rebuilding IceCat with this change as an extra
> precaution, but that shouldn't take long. If that doesn't cause
> problems this LGTM for master.

OK, it worked, old IceCat writes new SQlite files.

Kind regards,

T G-R
M
M
Mark H Weaver wrote on 26 Mar 2021 02:23
878s6ar9ko.fsf@netris.org
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (30 lines)
> From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
> Date: Thu, 18 Mar 2021 07:09:10 +0100
> Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].
>
> * gnu/packages/sqlite.scm (sqlite/fixed): New variable.
> (sqlite)[replacement]: Graft.
> ---
> gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
> index eeb77749d8..cc378b359a 100644
> --- a/gnu/packages/sqlite.scm
> +++ b/gnu/packages/sqlite.scm
> @@ -65,6 +65,7 @@
> (sha256
> (base32
> "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
> + (replacement sqlite/fixed)
> (build-system gnu-build-system)
> (inputs `(("readline" ,readline)))
> (native-inputs (if (hurd-target?)
> @@ -122,6 +123,26 @@ widely deployed SQL database engine in the world. The source code for SQLite
> is in the public domain.")
> (license license:public-domain)))
>
> +(define-public sqlite/fixed
> + (package/inherit sqlite

Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' should
*not* use 'package/inherit', since the package you're defining is the
replacement for the package you're inheriting from.

Otherwise, it looks good to me!

Thanks,
Mark
L
L
Léo Le Bouter wrote on 26 Mar 2021 02:36
318a4b5eed01580d377cc8199a4bfb0db30b5eeb.camel@zaclys.net
On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
Toggle quote (11 lines)
>
> Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'
> should
> *not* use 'package/inherit', since the package you're defining is the
> replacement for the package you're inheriting from.
>
> Otherwise, it looks good to me!
>
> Thanks,
> Mark

Adapted, wasnt sure what package/inherit was for exactly.

Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
Toggle quote (10 lines)
> > I'm currently rebuilding IceCat with this change as an extra
> > precaution, but that shouldn't take long. If that doesn't cause
> > problems this LGTM for master.
>
> OK, it worked, old IceCat writes new SQlite files.
>
> Kind regards,
>
> T G-R

Thank you both for the review!

Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBdOpAACgkQRaix6GvN
EKa/Ww/+KE56ZH8cX2Q8rIJ3PHtHE3+CescwipGpKjTPJNF1eUag0vKsivRZe0pV
JVqR6a04Zk8rGk5UWCKpLIH8a29ciw3RBGuWMgDiVzT3MOi19NxF64ofoWxxjr1M
b1C3wp9AJDCUwmowOgOSO0fB/aII6hXn0ny4UMSC05ScSizpQMnM5b+UXXWRM82K
YtNxUcjvDGMW/CwU15hQzvKtJpAH/19MI6TtRIEEqkZZshqDoO70nbC9MmLVy8R6
F/EzNZK0SbhhHf/OCc7drIOoBw2+zuZ1hcPgA4oT7qGU5ohRNVycILj4RWDvIhp5
5nHC2N3lWojfEAvkO4pi1+oR9AyiPEITwg20gSerpjsFvMJOOAHQljlUTjwE+qDa
SvO6Isu9SzkaFWcOZOJ2sd+TnxqCb6JrZfObtzc5MnQ9RZ8ReeadfA5GqH3KA07k
5dUoF5Go6KK5zuxRB9qAqwXErps1CJx5pLgbGQRsDP5Sdo1WT0+0tDcbBmC/oVtf
3XCaW8B85IN0vGlZCQnMcsClgSWGiqXqnw2u/k2Jas83v/gEgP9ZvUI3rMXHnPlt
7dKAvOzV3KBikRGrBW7A2qBmOToQyNeN/TEwEGLIezGQskq8c9TyMH+PDS02taOn
peMXf29nXqyo4oulqABfXc+xoukbfCZAJuaKfhpj40ULTCj+EgM=
=SIkP
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 47231@debbugs.gnu.org