Debian Bug report logs -
#878680
sqlite3: CVE-2017-15286: NULL pointer dereference in tableColumnList
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 15 Oct 2017 18:27:04 UTC
Severity: important
Tags: security, upstream
Found in version sqlite3/3.20.1-1
Fixed in version sqlite3/3.20.1-2
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#878680; Package src:sqlite3.
(Sun, 15 Oct 2017 18:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 15 Oct 2017 18:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.20.1-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for sqlite3.
CVE-2017-15286[0]:
| SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in
| shell.c because it fails to consider certain cases where
| `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is
| never initialized.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15286
[1] https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md
[2] http://www.sqlite.org/src/info/5d0ceb8dcdef92cd
Attaching the poc.db.
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#878680; Package src:sqlite3.
(Sun, 15 Oct 2017 18:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 15 Oct 2017 18:33:03 GMT) (full text, mbox, link).
Message #10 received at 878680@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Oct 15, 2017 at 08:25:55PM +0200, Salvatore Bonaccorso wrote:
> Attaching the poc.db.
... and if I claim that, I should do.
Now really attached.
Regards,
Salvatore
[CVE-2017-15286-poc.db.xz (application/x-xz, attachment)]
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 16 Oct 2017 18:27:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Oct 2017 18:27:03 GMT) (full text, mbox, link).
Message #15 received at 878680-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Source-Version: 3.20.1-2
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878680@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Oct 2017 17:23:10 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0-dbg libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source amd64 all
Version: 3.20.1-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
lemon - LALR(1) Parser Generator for C or C++
libsqlite3-0 - SQLite 3 shared library
libsqlite3-0-dbg - SQLite 3 debugging symbols
libsqlite3-dev - SQLite 3 development files
libsqlite3-tcl - SQLite 3 Tcl bindings
sqlite3 - Command line interface for SQLite 3
sqlite3-doc - SQLite 3 documentation
Closes: 878680
Changes:
sqlite3 (3.20.1-2) unstable; urgency=high
.
* Backport fix for CVE-2017-15286, NULL pointer dereference in
tableColumnList() (closes: #878680).
* Update Standards-Version to 4.1.1:
- change libsqlite3-0-dbg priority to optional.
Checksums-Sha1:
7927d5a01810fc195d8b8bb12dc0230420e83ba2 2476 sqlite3_3.20.1-2.dsc
f2e54d3ce0d504072cfb79f54a1f7a77c24cffcd 17892 sqlite3_3.20.1-2.debian.tar.xz
1c1c47f47f8b29560942b6f8f01cd9d7b12622a6 146914 lemon_3.20.1-2_amd64.deb
0fcf5a796303fa27a631e2608fcfd66d71c6cfb8 4449520 libsqlite3-0-dbg_3.20.1-2_amd64.deb
71e315ac342884c78682e2da366ba4114bbf0892 585210 libsqlite3-0_3.20.1-2_amd64.deb
084bce45731a33147cf228aa9994214316d3e7dc 718630 libsqlite3-dev_3.20.1-2_amd64.deb
ebd669490b4724b88162f7d77a5009b324e11aae 115250 libsqlite3-tcl_3.20.1-2_amd64.deb
740175b9b7d159c10b10497f31b2ba32a1d3b555 3610866 sqlite3-doc_3.20.1-2_all.deb
1b6dd2d57079a17d3b92ffc915834cd5625b6600 8109 sqlite3_3.20.1-2_amd64.buildinfo
4f7e881042496ae4f4fa2bb45b5635164ef0adda 810416 sqlite3_3.20.1-2_amd64.deb
Checksums-Sha256:
4fae287ad662bb4958273e9d09d1d4efcd8230e8cc7fb89978d47b22e8b5602b 2476 sqlite3_3.20.1-2.dsc
7d68706ea8703932dc82157067374a804370ef115ae9f5fd3e33f6bb359ea978 17892 sqlite3_3.20.1-2.debian.tar.xz
63f2e8aa9d40e869eab670e735470afdd39619ca6c556551ec0a129ce5800c61 146914 lemon_3.20.1-2_amd64.deb
f3a30963f7460b143c120e17ff39cdfed2d319110f1185edc2534fcdbff188b9 4449520 libsqlite3-0-dbg_3.20.1-2_amd64.deb
288cd45d4486853f062c30679231581b0dfa25da206e8722b2793678a059eaf6 585210 libsqlite3-0_3.20.1-2_amd64.deb
1801e71753019cc8abec3b0003704593b6634ad9029be6027b1f1858a21fbbda 718630 libsqlite3-dev_3.20.1-2_amd64.deb
50023fb00c8d4d34e00e8318e8ac01d1f89a6319306086ec9e0518e873e72f09 115250 libsqlite3-tcl_3.20.1-2_amd64.deb
97a3369f2d057293e94a36b221ddad5ae8eee0b251a76f1ab8d59504f08aaaf2 3610866 sqlite3-doc_3.20.1-2_all.deb
0152f50d22343a7e7dba5d7b859374faae1a014b07b816bf4c35b9287bece7fc 8109 sqlite3_3.20.1-2_amd64.buildinfo
7aaa75f691e9643c795ac5b6453ef1387fa5a6aca99414133cdf2dd2be1f4b4c 810416 sqlite3_3.20.1-2_amd64.deb
Files:
7ae0441982db292b83647a72b3d8263f 2476 devel optional sqlite3_3.20.1-2.dsc
1812d33170d4f05cf1d7316058e2fe51 17892 devel optional sqlite3_3.20.1-2.debian.tar.xz
ee963d2b36fdaa242e74aa4a0f642b99 146914 devel optional lemon_3.20.1-2_amd64.deb
72a6ebef4447db4b8758f5da64c6389e 4449520 debug optional libsqlite3-0-dbg_3.20.1-2_amd64.deb
7af79cbb1ecdaf1581aabe7a1683d900 585210 libs standard libsqlite3-0_3.20.1-2_amd64.deb
2b4cc40088f1873801998f9fd115f060 718630 libdevel optional libsqlite3-dev_3.20.1-2_amd64.deb
511d1a3616703d9c6df01977a13c8b8b 115250 interpreters optional libsqlite3-tcl_3.20.1-2_amd64.deb
077aa7fb77238471d2c799b9a117febd 3610866 doc optional sqlite3-doc_3.20.1-2_all.deb
176aa40d67e3dc149da7b6d50b0add30 8109 devel optional sqlite3_3.20.1-2_amd64.buildinfo
18cf2498e8c42fbafff32ad33449cc24 810416 database optional sqlite3_3.20.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlnk8nUACgkQ3OMQ54ZM
yL/MTRAAhjjfZuwb0wFpwqFOaL6NkCAWeaDKLFs5znclthv1nuj+0w7W8VgJ14yh
4UYm7RlCrujBTcNGBInk2bG2ktLdaKMNpmhnkJ5iHS+fqvnfZx4YtUIrpdtpAawB
vdWAK8l2B6lsdhQgV54CngPHgQiKWg55Bg9nIa87Xns3vlfja2lll6s9qrpakBss
5jfDy26gMY80sACcQY1PtG2TlBWmPJ+7r1cBmwSw2uQf9MPlncuipW9+verqXuEQ
UIt7YwSwdHmJGsUurLImHRlQNo/0Q1PPlCrD+VH/wPObcmaTfJpBZoiyjo4SPH+g
cdzNFKymrae5SGlo1GOgOKG67DN8EfvpN7PZ0QegSvFJMGdrPf8RQIpeJ/rSw44X
QVVT41SbxP1CJFk8sY1x5V+M1NMfGpuKL7IyEP8TZE5428AkYSSo/PcoENmWeQqq
3Te6a9lGmmwQVQ4dfLRXJt33Q20Qh+p0y+KQhZyqBXQ0y1v2cQaXHElvjnyLT3mL
VMHou0UH/7mU7sUHFTEmSVSGGSWel42x9ZW+s4LQZjJ0pYjFCov5P1db9w1Azq6U
bcypb8+xRDhVx7fZYwvq0jlh4NRMEGQUkB1777wmwonzLbIUGd5DiIYiAe7iu5FW
KDkFJlpjX31LxIN9sxq+zIWhM5Gy+rvmY5Om+WNcYF6RBB8eOdY=
=b2Y+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Nov 2017 07:30:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon