Debian Bug report logs -
#867618
sqlite3: CVE-2017-10989
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 7 Jul 2017 19:57:08 UTC
Severity: important
Tags: patch, security, upstream
Found in version sqlite3/3.8.7.1-1
Fixed in version sqlite3/3.19.3-3
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#867618
; Package src:sqlite3
.
(Fri, 07 Jul 2017 19:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Fri, 07 Jul 2017 19:57:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.8.7.1-1
Severity: important
Tags: upstream security patch
Hi,
the following vulnerability was published for sqlite3.
CVE-2017-10989[0]:
| The getNodeSize function in ext/rtree/rtree.c in SQLite before 3.11.0,
| as used in GDAL and other products, mishandles undersized RTree blobs
| in a crafted database, leading to a heap-based buffer over-read or
| possibly unspecified other impact.
Even the above description mentions "before 3.11.0" (and actually would
be 3.17.0) the issue is still present in later versions, it's hidden, as
explained in [1]. There is a patch at [2]. So it might be as well be
applied to newer versions (and it's basically already queued upstream as
well, with the referenced commit).
,---- [ make test ]
| ...
| ! rtreeA-7.110 expected: [1 {undersize RTree blobs in "t1_node"}]
| ! rtreeA-7.110 got: [1 {database disk image is malformed}]
| Time: rtreeA.test 56 ms
| ...
`----
(unrelated, speaking of testsuite, would be great if #339368 could be
made working in Debian and maybe having autopkgtest smoke-tests running
the upstream testsuite, but not sure how feasible this is).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989
[1] https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/comments/7
[2] https://sqlite.org/src/info/66de6f4a
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
You have taken responsibility.
(Fri, 07 Jul 2017 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 07 Jul 2017 21:51:05 GMT) (full text, mbox, link).
Message #10 received at 867618-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Source-Version: 3.19.3-3
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867618@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Jul 2017 20:59:53 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0-dbg libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source amd64 all
Version: 3.19.3-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
lemon - LALR(1) Parser Generator for C or C++
libsqlite3-0 - SQLite 3 shared library
libsqlite3-0-dbg - SQLite 3 debugging symbols
libsqlite3-dev - SQLite 3 development files
libsqlite3-tcl - SQLite 3 Tcl bindings
sqlite3 - Command line interface for SQLite 3
sqlite3-doc - SQLite 3 documentation
Closes: 867618
Changes:
sqlite3 (3.19.3-3) unstable; urgency=high
.
* Backport fix for CVE-2017-10989, heap-based buffer over-read via
undersized RTree blobs (closes: #867618).
Checksums-Sha1:
5d9a53eda54f10e2b0d5ff9ee6e03e30eb68749f 2488 sqlite3_3.19.3-3.dsc
de57db8c936d4c865cfa420932abeb96db421d06 17564 sqlite3_3.19.3-3.debian.tar.xz
a5177212cdeb5bab8e648d24f61981d3f3af21b5 144096 lemon_3.19.3-3_amd64.deb
029348f8ac2cda2a424d9e741f36a0e6fd1fb3d5 4429636 libsqlite3-0-dbg_3.19.3-3_amd64.deb
564bc19074391090e9b9fb22c71b521a1b92390d 582376 libsqlite3-0_3.19.3-3_amd64.deb
82904d25e79fb52b512229b7df33f1ea8c01fd61 714774 libsqlite3-dev_3.19.3-3_amd64.deb
02362a05573b2027581109aee5b4f46845ddacb9 111770 libsqlite3-tcl_3.19.3-3_amd64.deb
b5cfd95e08064a6c48b9239cc1a8d6525af0a5a6 3596468 sqlite3-doc_3.19.3-3_all.deb
1fca090e71708a97bf97247b3e4d6ab0bbbefc9c 8083 sqlite3_3.19.3-3_amd64.buildinfo
866aeb52228bc727d52775027df604a44d4a5ef3 798808 sqlite3_3.19.3-3_amd64.deb
Checksums-Sha256:
eea0af6c0f700bec519d36f73322d69e4fbf3cf80b8820176d3e2ee6d2598daa 2488 sqlite3_3.19.3-3.dsc
c6b49b43acfbbddf51cfe3cd2b8001dd036c3b0b0dd67d8c522055cf8affdd39 17564 sqlite3_3.19.3-3.debian.tar.xz
e137f8617749858e419feccb2066cc88de64c358d1f83fa4e91a4e662ec66811 144096 lemon_3.19.3-3_amd64.deb
c65d85bbf6bd15d52874678523364f1222fa139402a8c9df1f0d76e1964463ce 4429636 libsqlite3-0-dbg_3.19.3-3_amd64.deb
d649a9f7c269addc05196118f1cfb0847c18b4e280308746744a3f7fc14e540a 582376 libsqlite3-0_3.19.3-3_amd64.deb
0ecab434ee568fba45a2932aef3cca3dde00482ba867d2a274fdb26f5882eb29 714774 libsqlite3-dev_3.19.3-3_amd64.deb
89e911e8aef479bd36f557987bef4e94802b0b59b7894b4726e6e28cf7d1ab89 111770 libsqlite3-tcl_3.19.3-3_amd64.deb
ce093e32fc132ab1cf1bea7cfe038deee39bf08310b481a1e6e798ee4043cf87 3596468 sqlite3-doc_3.19.3-3_all.deb
14844bdd95d2337e7e89d01b4963a5313af01fdd7e3bccaf14bb6c38fa0bb70d 8083 sqlite3_3.19.3-3_amd64.buildinfo
6d3005aa94658e6988efa2c931fbcc0a120b71c3ea3e82b47633ab3300631dc3 798808 sqlite3_3.19.3-3_amd64.deb
Files:
0990bed8adfe86afb0aadcdfe591f73a 2488 devel optional sqlite3_3.19.3-3.dsc
04c9fa53012a6809152ecd98e2c3cdb6 17564 devel optional sqlite3_3.19.3-3.debian.tar.xz
e84bf142825b3e1551152567ccc29faf 144096 devel optional lemon_3.19.3-3_amd64.deb
ab2ad6faa1a538ab6ff28430f35ec500 4429636 debug extra libsqlite3-0-dbg_3.19.3-3_amd64.deb
af7c40bb34d2cec5bf06b7c01cc4eeeb 582376 libs standard libsqlite3-0_3.19.3-3_amd64.deb
39939315e4c5300b3af814a854558304 714774 libdevel optional libsqlite3-dev_3.19.3-3_amd64.deb
7fd79c6d3847d80923a56cec196035ae 111770 interpreters optional libsqlite3-tcl_3.19.3-3_amd64.deb
f597ad584da18dd291cfba287563f5f7 3596468 doc optional sqlite3-doc_3.19.3-3_all.deb
a448ce6f6f4d500022826edd2f11b1e5 8083 devel optional sqlite3_3.19.3-3_amd64.buildinfo
8065995b5acc5d7180800fda53ad02a8 798808 database optional sqlite3_3.19.3-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAllf/TAACgkQ3OMQ54ZM
yL8gAg//dDVVZykq0TW0y7O2EUb0UIwfxvrmg5UntV822ABMRBwRWQHOwuyjTkh6
gKoT1Q8uXmkrV4XUd42fBSAag5m33BzXqYZT+wv5QYW71Oouf8VeNNpGY9P2eNl+
MVP+KvYbpH/AJ4vwoQQn6Iul+74wLx/+Ic3Vo8G9GJEFa0uG+4ddOqskJTdG52Bo
OrdyJ34TZLVhsBOkRvWYDoEUOq66XS0cRtkHzMdLH7ubDh0dWFcVlrSsGMSPnqCG
EyltIXc+uLMcBtG4k7SyEbuJhBCAddgGVm9WJcBZs50NvQPGqeyvMf/heUCiHVy2
BxrGk3AXEEMafFPzYY3OdWmVGpbC4i9HsNhVm5/d+GxZf/tKPnP7BUjlPuVSPdaW
8hDzzMMFsvX/AbPCBx9nWABpTxG/RyxUZdxV7e6/hfWxl7iMhWJa4Lw7DPv117nZ
SxWlH6b1NUkqUMBrgD0GNs1jpJCcnNMDB/lnSOlUNjOU7Opy1XMSI4s/W+LnF8rE
PBPgx3atMgmqaU31QXUhzflaT+qzHChLBcndPLjMe0Zu/bP2cGMjgATa4uw2TY+0
jvoK7o+eovOl7ad85zJWQPJnL/sl+2XiiCvzeZYKwKGPOHkpITEAHuxAFoUpw+rG
EFWekXSzXwOKFYDTd1JLYg55JRhLFbCN4rln6yE27UMARoD7wbE=
=dwXY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Aug 2017 07:26:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:13:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.