sqlite3: CVE-2017-10989

Debian Bug report logs - #867618
sqlite3: CVE-2017-10989

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sqlite3: CVE-2017-10989

Date: Fri, 07 Jul 2017 21:53:46 +0200

Source: sqlite3
Version: 3.8.7.1-1
Severity: important
Tags: upstream security patch

Hi,

the following vulnerability was published for sqlite3.

CVE-2017-10989[0]:
| The getNodeSize function in ext/rtree/rtree.c in SQLite before 3.11.0,
| as used in GDAL and other products, mishandles undersized RTree blobs
| in a crafted database, leading to a heap-based buffer over-read or
| possibly unspecified other impact.

Even the above description mentions "before 3.11.0" (and actually would
be 3.17.0) the issue is still present in later versions, it's hidden, as
explained in [1]. There is a patch at [2]. So it might be as well be
applied to newer versions (and it's basically already queued upstream as
well, with the referenced commit).

,---- [ make test ]
| ...
| ! rtreeA-7.110 expected: [1 {undersize RTree blobs in "t1_node"}]
| ! rtreeA-7.110 got:      [1 {database disk image is malformed}]
| Time: rtreeA.test 56 ms
| ...
`----

(unrelated, speaking of testsuite, would be great if #339368 could be
made working in Debian and maybe having autopkgtest smoke-tests running
the upstream testsuite, but not sure how feasible this is).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10989
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989
[1] https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/comments/7
[2] https://sqlite.org/src/info/66de6f4a

Regards,
Salvatore

Message #10 received at 867618-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 867618-close@bugs.debian.org

Subject: Bug#867618: fixed in sqlite3 3.19.3-3

Date: Fri, 07 Jul 2017 21:49:52 +0000

Source: sqlite3
Source-Version: 3.19.3-3

We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867618@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 07 Jul 2017 20:59:53 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0-dbg libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source amd64 all
Version: 3.19.3-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 lemon      - LALR(1) Parser Generator for C or C++
 libsqlite3-0 - SQLite 3 shared library
 libsqlite3-0-dbg - SQLite 3 debugging symbols
 libsqlite3-dev - SQLite 3 development files
 libsqlite3-tcl - SQLite 3 Tcl bindings
 sqlite3    - Command line interface for SQLite 3
 sqlite3-doc - SQLite 3 documentation
Closes: 867618
Changes:
 sqlite3 (3.19.3-3) unstable; urgency=high
 .
   * Backport fix for CVE-2017-10989, heap-based buffer over-read via
     undersized RTree blobs (closes: #867618).
Checksums-Sha1:
 5d9a53eda54f10e2b0d5ff9ee6e03e30eb68749f 2488 sqlite3_3.19.3-3.dsc
 de57db8c936d4c865cfa420932abeb96db421d06 17564 sqlite3_3.19.3-3.debian.tar.xz
 a5177212cdeb5bab8e648d24f61981d3f3af21b5 144096 lemon_3.19.3-3_amd64.deb
 029348f8ac2cda2a424d9e741f36a0e6fd1fb3d5 4429636 libsqlite3-0-dbg_3.19.3-3_amd64.deb
 564bc19074391090e9b9fb22c71b521a1b92390d 582376 libsqlite3-0_3.19.3-3_amd64.deb
 82904d25e79fb52b512229b7df33f1ea8c01fd61 714774 libsqlite3-dev_3.19.3-3_amd64.deb
 02362a05573b2027581109aee5b4f46845ddacb9 111770 libsqlite3-tcl_3.19.3-3_amd64.deb
 b5cfd95e08064a6c48b9239cc1a8d6525af0a5a6 3596468 sqlite3-doc_3.19.3-3_all.deb
 1fca090e71708a97bf97247b3e4d6ab0bbbefc9c 8083 sqlite3_3.19.3-3_amd64.buildinfo
 866aeb52228bc727d52775027df604a44d4a5ef3 798808 sqlite3_3.19.3-3_amd64.deb
Checksums-Sha256:
 eea0af6c0f700bec519d36f73322d69e4fbf3cf80b8820176d3e2ee6d2598daa 2488 sqlite3_3.19.3-3.dsc
 c6b49b43acfbbddf51cfe3cd2b8001dd036c3b0b0dd67d8c522055cf8affdd39 17564 sqlite3_3.19.3-3.debian.tar.xz
 e137f8617749858e419feccb2066cc88de64c358d1f83fa4e91a4e662ec66811 144096 lemon_3.19.3-3_amd64.deb
 c65d85bbf6bd15d52874678523364f1222fa139402a8c9df1f0d76e1964463ce 4429636 libsqlite3-0-dbg_3.19.3-3_amd64.deb
 d649a9f7c269addc05196118f1cfb0847c18b4e280308746744a3f7fc14e540a 582376 libsqlite3-0_3.19.3-3_amd64.deb
 0ecab434ee568fba45a2932aef3cca3dde00482ba867d2a274fdb26f5882eb29 714774 libsqlite3-dev_3.19.3-3_amd64.deb
 89e911e8aef479bd36f557987bef4e94802b0b59b7894b4726e6e28cf7d1ab89 111770 libsqlite3-tcl_3.19.3-3_amd64.deb
 ce093e32fc132ab1cf1bea7cfe038deee39bf08310b481a1e6e798ee4043cf87 3596468 sqlite3-doc_3.19.3-3_all.deb
 14844bdd95d2337e7e89d01b4963a5313af01fdd7e3bccaf14bb6c38fa0bb70d 8083 sqlite3_3.19.3-3_amd64.buildinfo
 6d3005aa94658e6988efa2c931fbcc0a120b71c3ea3e82b47633ab3300631dc3 798808 sqlite3_3.19.3-3_amd64.deb
Files:
 0990bed8adfe86afb0aadcdfe591f73a 2488 devel optional sqlite3_3.19.3-3.dsc
 04c9fa53012a6809152ecd98e2c3cdb6 17564 devel optional sqlite3_3.19.3-3.debian.tar.xz
 e84bf142825b3e1551152567ccc29faf 144096 devel optional lemon_3.19.3-3_amd64.deb
 ab2ad6faa1a538ab6ff28430f35ec500 4429636 debug extra libsqlite3-0-dbg_3.19.3-3_amd64.deb
 af7c40bb34d2cec5bf06b7c01cc4eeeb 582376 libs standard libsqlite3-0_3.19.3-3_amd64.deb
 39939315e4c5300b3af814a854558304 714774 libdevel optional libsqlite3-dev_3.19.3-3_amd64.deb
 7fd79c6d3847d80923a56cec196035ae 111770 interpreters optional libsqlite3-tcl_3.19.3-3_amd64.deb
 f597ad584da18dd291cfba287563f5f7 3596468 doc optional sqlite3-doc_3.19.3-3_all.deb
 a448ce6f6f4d500022826edd2f11b1e5 8083 devel optional sqlite3_3.19.3-3_amd64.buildinfo
 8065995b5acc5d7180800fda53ad02a8 798808 database optional sqlite3_3.19.3-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAllf/TAACgkQ3OMQ54ZM
yL8gAg//dDVVZykq0TW0y7O2EUb0UIwfxvrmg5UntV822ABMRBwRWQHOwuyjTkh6
gKoT1Q8uXmkrV4XUd42fBSAag5m33BzXqYZT+wv5QYW71Oouf8VeNNpGY9P2eNl+
MVP+KvYbpH/AJ4vwoQQn6Iul+74wLx/+Ic3Vo8G9GJEFa0uG+4ddOqskJTdG52Bo
OrdyJ34TZLVhsBOkRvWYDoEUOq66XS0cRtkHzMdLH7ubDh0dWFcVlrSsGMSPnqCG
EyltIXc+uLMcBtG4k7SyEbuJhBCAddgGVm9WJcBZs50NvQPGqeyvMf/heUCiHVy2
BxrGk3AXEEMafFPzYY3OdWmVGpbC4i9HsNhVm5/d+GxZf/tKPnP7BUjlPuVSPdaW
8hDzzMMFsvX/AbPCBx9nWABpTxG/RyxUZdxV7e6/hfWxl7iMhWJa4Lw7DPv117nZ
SxWlH6b1NUkqUMBrgD0GNs1jpJCcnNMDB/lnSOlUNjOU7Opy1XMSI4s/W+LnF8rE
PBPgx3atMgmqaU31QXUhzflaT+qzHChLBcndPLjMe0Zu/bP2cGMjgATa4uw2TY+0
jvoK7o+eovOl7ad85zJWQPJnL/sl+2XiiCvzeZYKwKGPOHkpITEAHuxAFoUpw+rG
EFWekXSzXwOKFYDTd1JLYg55JRhLFbCN4rln6yE27UMARoD7wbE=
=dwXY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.