From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 07:42:52 2021 Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 11:42:52 +0000 Received: from localhost ([127.0.0.1]:45286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMr3B-0005LB-4y for submit@debbugs.gnu.org; Thu, 18 Mar 2021 07:42:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:35464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMr39-0005L3-Nq for submit@debbugs.gnu.org; Thu, 18 Mar 2021 07:42:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMr39-0000hP-Ei for bug-guix@gnu.org; Thu, 18 Mar 2021 07:42:47 -0400 Received: from mail.zaclys.net ([178.33.93.72]:34563) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMr37-0000bz-7e for bug-guix@gnu.org; Thu, 18 Mar 2021 07:42:47 -0400 Received: from [192.168.0.27] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12IBghcH007322 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 18 Mar 2021 12:42:43 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12IBghcH007322 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616067763; bh=v53UTA74v4t9/UGf9YFhRUhgzKeHklPt7S9rkUmXqSE=; h=Subject:From:To:Date:From; b=MqBWWuOWs7ksZSD3bueF77bxPyT0Mw+TAtP47fnJ+t7pWGbQ5CkyY3deMAQt6Py4g QR+bRYZ/aZeUrZAMRxExYYiJYwJC/8pr0ozjSrs2vKHh1M4bfAjm2GnPMOl+nC2a7t 1ouwfLiBUu6zkCzSmnO/vauwWtg+Tj98T5AdKsE0= Message-ID: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> Subject: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Thu, 18 Mar 2021 12:42:43 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-sO1O21U/DX32CHq1Rl+N" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-sO1O21U/DX32CHq1Rl+N Content-Type: multipart/mixed; boundary="=-5cpjFKBTzS7jBpJccBHa" --=-5cpjFKBTzS7jBpJccBHa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable According to https://www.sqlite.org/versionnumbers.html major versions of sqlite remain = ABI and file format backwards compatible. It means we could graft without trouble, 3.32.3 fixes all CVEs, however 3.32 introduces a test failure in Python 3.8.2 which is an errorneous test testing internal sqlite implementation detail (but grafting wont actually re-run this test suite). See: https://bugs.python.org/issue40784 Otherwise I am still trying to run GNU Guix's own test suite on this but it turns out unnecessarily complicated, see=20 https://issues.guix.gnu.org/47230 for suggestions on improving that process. Attached WIP patch. Thank you! L=C3=A9o --=-5cpjFKBTzS7jBpJccBHa Content-Disposition: attachment; filename="0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch" Content-Type: text/x-patch; name="0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBiMGY5NTY2ZTlmZjlhNWY0MDlhM2ZkNDI5M2MwNDhlYzU4YmM3NzBkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TD1DMz1BOW89MjBMZT0yMEJvdXRlcj89IDxs bGUtYm91dEB6YWNseXMubmV0PgpEYXRlOiBUaHUsIDE4IE1hciAyMDIxIDA3OjA5OjEwICswMTAw ClN1YmplY3Q6IFtQQVRDSF0gZ251OiBzcWxpdGU6IFVwZGF0ZSB0byAzLjMyLjMgW3NlY3VyaXR5 IGZpeGVzXS4KCiogZ251L3BhY2thZ2VzL3NxbGl0ZS5zY20gKHNxbGl0ZS9maXhlZCk6IE5ldyB2 YXJpYWJsZS4KKHNxbGl0ZSlbcmVwbGFjZW1lbnRdOiBHcmFmdC4KLS0tCiBnbnUvcGFja2FnZXMv c3FsaXRlLnNjbSB8IDIxICsrKysrKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDIx IGluc2VydGlvbnMoKykKCmRpZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvc3FsaXRlLnNjbSBiL2du dS9wYWNrYWdlcy9zcWxpdGUuc2NtCmluZGV4IGVlYjc3NzQ5ZDguLmNjMzc4YjM1OWEgMTAwNjQ0 Ci0tLSBhL2dudS9wYWNrYWdlcy9zcWxpdGUuc2NtCisrKyBiL2dudS9wYWNrYWdlcy9zcWxpdGUu c2NtCkBAIC02NSw2ICs2NSw3IEBACiAgICAgICAgICAgICAoc2hhMjU2CiAgICAgICAgICAgICAg KGJhc2UzMgogICAgICAgICAgICAgICAiMWJqOTM2c3ZkOGk1ZzI1eGQxYmo1MmhqNHpjYTAxZmds M3Nxa2o4Nno5cTVwa3o0d2EzMiIpKSkpCisgICAocmVwbGFjZW1lbnQgc3FsaXRlL2ZpeGVkKQog ICAgKGJ1aWxkLXN5c3RlbSBnbnUtYnVpbGQtc3lzdGVtKQogICAgKGlucHV0cyBgKCgicmVhZGxp bmUiICxyZWFkbGluZSkpKQogICAgKG5hdGl2ZS1pbnB1dHMgKGlmIChodXJkLXRhcmdldD8pCkBA IC0xMjIsNiArMTIzLDI2IEBAIHdpZGVseSBkZXBsb3llZCBTUUwgZGF0YWJhc2UgZW5naW5lIGlu IHRoZSB3b3JsZC4gIFRoZSBzb3VyY2UgY29kZSBmb3IgU1FMaXRlCiBpcyBpbiB0aGUgcHVibGlj IGRvbWFpbi4iKQogICAgKGxpY2Vuc2UgbGljZW5zZTpwdWJsaWMtZG9tYWluKSkpCiAKKyhkZWZp bmUtcHVibGljIHNxbGl0ZS9maXhlZAorICAocGFja2FnZS9pbmhlcml0IHNxbGl0ZQorICAgICh2 ZXJzaW9uICIzLjMyLjMiKQorICAgIChzb3VyY2UgKG9yaWdpbgorICAgICAgICAgICAgICAobWV0 aG9kIHVybC1mZXRjaCkKKyAgICAgICAgICAgICAgKHVyaSAobGV0ICgobnVtZXJpYy12ZXJzaW9u CisgICAgICAgICAgICAgICAgICAgICAgICAgIChtYXRjaCAoc3RyaW5nLXNwbGl0IHZlcnNpb24g I1wuKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoZmlyc3QtZGlnaXQgb3RoZXItZGln aXRzIC4uLikKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBlbmQgZmly c3QtZGlnaXQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0 cmluZy1wYWQtcmlnaHQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChzdHJpbmctY29uY2F0ZW5hdGUKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAobWFwIChjdXQgc3RyaW5nLXBhZCA8PiAyICNcMCkKKyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG90aGVyLWRpZ2l0cykpCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA2ICNcMCkpKSkpKQor ICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBlbmQgImh0dHBzOi8vc3FsaXRlLm9yZy8y MDIwL3NxbGl0ZS1hdXRvY29uZi0iCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBudW1lcmljLXZlcnNpb24gIi50YXIuZ3oiKSkpCisgICAgICAgICAgICAgIChzaGEyNTYKKyAg ICAgICAgICAgICAgIChiYXNlMzIKKyAgICAgICAgICAgICAgICAiMHJsYmFxMTc3Z2NnazVkc3dk M2FrYmh2Mm52dnpsanJiaGd5MThoa2xiaHc3aDkwZjVkMyIpKSkpKSkKKwogOzsgQ29sdW1uIG1l dGFkYXRhIHN1cHBvcnQgd2FzIGFkZGVkIHRvIHRoZSByZWd1bGFyICdzcWxpdGUnIHBhY2thZ2Ug d2l0aAogOzsgY29tbWl0IGZhZDViMWE2ZDhkOWMzNmJlYTU3ODVhZTRmYmMxYmViMzdlNjQ0ZDcu CiAoZGVmaW5lLXB1YmxpYyBzcWxpdGUtd2l0aC1jb2x1bW4tbWV0YWRhdGEKLS0gCjIuMzEuMAoK --=-5cpjFKBTzS7jBpJccBHa-- --=-sO1O21U/DX32CHq1Rl+N Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBTPLMACgkQRaix6GvN EKZJUBAApTFFerO/WLrwpI8WEmTwZT80tKqvjkE/SYquptjGLFtEkIP9Wk3B8P9L Z9Culm0rU6KaRJuCIwVOHH3v7fS+dsedcVK/KRtNjmrnTy5Y7t7Y8WKFqULszpIo wkE2RANFyne7QzplhlzJ1JElxFgP5iE/0zc9KaGV+RCrXwLOCZyG+r0BykoTNze6 /cNdM4ri/XqfQNGAJyFroS8pDNQoeQuRsRgIQ3NlFOWVqPdEZGtnO8IVnMaVzb1I 4m+YHWr55/FjtzJKqqG+QlKi+FeH0qeUHgj26lHuINqZ2HnSQ47QyoD7qcFGcFNP 4FaRWiL6vY7oYKyeqoRYZoBp8aOHiIJT7KfC1o+G5fTTwMPzYF7Ri7M0EeINM6i+ vjZ292QnBRcBUuUfAB0EXCtcWXKJY5UEUrO8A4fYHbBAXxWRwsTfEvrAnbjoosGH YBfsWWhQ64fR56yqJF/AKHYwGz9sF+agr+FNzsuUwn5hE1LFUurUbMrTDVQr0/U7 U5kUlX6zuJLiTKHGZd/C2iDagLLgBL6H11twW0fHNKlZ3NGkInWO7vJpwyXerJKE yLy9THvETa/6/FBvdwOgt7gS7kxsTUHJva0YNNhgA6g+pp0eJsn8VXTMelHRIC8P PDc+WFdxAJu/cCEedraRPvDeP9CoWpm33NPl+i9OE14u2w3Tz84= =qiPe -----END PGP SIGNATURE----- --=-sO1O21U/DX32CHq1Rl+N--