|
From: | GNU bug Tracking System |
Subject: | [debbugs-tracker] bug#33751: closed (SQLite "Magellan" vulnerability) |
Date: | Tue, 25 Dec 2018 18:12:01 +0000 |
Your message dated Wed, 26 Dec 2018 02:11:28 +0800 with message-id <address@hidden> and subject line [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) has caused the debbugs.gnu.org bug report #33751, regarding SQLite "Magellan" vulnerability to be marked as done. (If you believe you have received this mail in error, please contact address@hidden) -- 33751: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33751 GNU Bug Tracking System Contact address@hidden with problems
--- Begin Message ---Subject: SQLite "Magellan" vulnerability Date: Sat, 15 Dec 2018 01:18:30 +0100 User-agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) Hello! There is allegedly a remote code execution bug in all versions of SQLite prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>. I think it is safe to graft 3.26.0 in-place: $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 1 Added function symbol not referenced by debug info: sqlite3_create_window_function ...but I have not tested this. It's difficult to tell which patches to apply without knowing more details of the vulnerability. I am currently building a branch that adds a "static" output for SQLite in order to catch users of libsqlite3.a. Can we start this on Berlin concurrently? Patches attached.0001-gnu-SQLite-Update-to-3.26.0.patch
Description: Text Data0002-gnu-SQLite-Add-static-output.patch
Description: Text Datasignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Subject: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) Date: Wed, 26 Dec 2018 02:11:28 +0800 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) Closing as patch was appied--- Begin Message ---Subject: bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) Date: Mon, 24 Dec 2018 09:36:02 +0000 Your bug report #33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes]. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to address@hidden -- 33783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783 GNU Bug Tracking System Contact address@hidden with problems--- Begin Message ---Subject: Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes]. Date: Mon, 24 Dec 2018 11:35:36 +0200 User-agent: Mutt/1.11.0 (2018-11-25) Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97 -- Efraim Flashner <address@hidden> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencryptedsignature.asc
Description: PGP signature
--- End Message ------ Begin Message ---Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes]. Date: Tue, 18 Dec 2018 10:53:19 +0800 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) Tag: security Hello, This patch grafts sqlite to its latest version. It also changes all the sqlite-* packages to use 'package/inherit' so that they get the replacement as well. See <https://bugs.gnu.org/33751> for details.From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001 From: Alex Vong <address@hidden> Date: Tue, 18 Dec 2018 10:36:52 +0800 Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes]. Fixes <https://bugs.gnu.org/33751>. Reported by Marius Bakke <address@hidden>. * gnu/packages/databases.scm (sqlite-3.26.0): New public variable. (sqlite)[replacement]: Use it. (sqlite-with-fts5): Use 'package/inherit'. (sqlite-with-column-metadata): Likewise. --- gnu/packages/databases.scm | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 0fa6d451e..78d9a6739 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -24,7 +24,7 @@ ;;; Copyright © 2017 Adriano Peluso <address@hidden> ;;; Copyright © 2017 Arun Isaac <address@hidden> ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <address@hidden> -;;; Copyright © 2017 Alex Vong <address@hidden> +;;; Copyright © 2017, 2018 Alex Vong <address@hidden> ;;; Copyright © 2017, 2018 Ben Woodcroft <address@hidden> ;;; Copyright © 2017 Rutger Helling <address@hidden> ;;; Copyright © 2017, 2018 Pierre Langlois <address@hidden> @@ -1183,6 +1183,7 @@ changes.") (define-public sqlite (package (name "sqlite") + (replacement sqlite-3.26.0) (version "3.24.0") (source (origin (method url-fetch) @@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world. The source code for SQLite is in the public domain.") (license license:public-domain))) +(define-public sqlite-3.26.0 + (package/inherit sqlite + (version "3.26.0") + (source (origin + (method url-fetch) + (uri (let ((numeric-version + (match (string-split version #\.) + ((first-digit other-digits ...) + (string-append first-digit + (string-pad-right + (string-concatenate + (map (cut string-pad <> 2 #\0) + other-digits)) + 6 #\0)))))) + (string-append "https://sqlite.org/2018/sqlite-autoconf-" + numeric-version ".tar.gz"))) + (sha256 + (base32 + "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx")))))) + ;; This is used by Tracker. (define-public sqlite-with-fts5 - (package (inherit sqlite) + (package/inherit sqlite (name "sqlite-with-fts5") (arguments (substitute-keyword-arguments (package-arguments sqlite) @@ -1230,7 +1251,7 @@ is in the public domain.") ;; This is used by Qt. (define-public sqlite-with-column-metadata - (package (inherit sqlite) + (package/inherit sqlite (name "sqlite-with-column-metadata") (arguments (substitute-keyword-arguments (package-arguments sqlite) -- 2.19.2Cheers, Alexsignature.asc
Description: PGP signature
--- End Message ---
--- End Message ---signature.asc
Description: PGP signature
--- End Message ---
[Prev in Thread] | Current Thread | [Next in Thread] |