Debian Bug report logs -
#893195
sqlite3: CVE-2018-8740: null pointer derference
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 Mar 2018 09:06:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version sqlite3/3.8.7.1-1
Fixed in version sqlite3/3.22.0-2
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#893195; Package src:sqlite3.
(Sat, 17 Mar 2018 09:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 17 Mar 2018 09:06:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.8.7.1-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for sqlite3.
CVE-2018-8740[0]:
| In SQLite through 3.22.0, databases whose schema is corrupted using a
| CREATE TABLE AS statement could cause a NULL pointer dereference,
| related to build.c and prepare.c.
The fix can be verified with the rerpording db from the launchpad
bugreport, [2] including showing that the issue is in the library and
not in the shell with a minimal example.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8740
[1] http://www.openwall.com/lists/oss-security/2018/03/17/1
[2] https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349
[3] https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema
[4] https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
[5] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6964 (not yet accessible)
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 10:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 10:06:06 GMT) (full text, mbox, link).
Message #10 received at 893195-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Source-Version: 3.22.0-2
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 17 Mar 2018 09:13:53 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source amd64 all
Version: 3.22.0-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
lemon - LALR(1) Parser Generator for C or C++
libsqlite3-0 - SQLite 3 shared library
libsqlite3-dev - SQLite 3 development files
libsqlite3-tcl - SQLite 3 Tcl bindings
sqlite3 - Command line interface for SQLite 3
sqlite3-doc - SQLite 3 documentation
Closes: 893195
Changes:
sqlite3 (3.22.0-2) unstable; urgency=high
.
* Backport upstream security fix for CVE-2018-8740: NULL pointer dereference
(closes: #893195).
Checksums-Sha1:
81b13cf3b575c3f5eedcd6568f2217ca06a2e798 2397 sqlite3_3.22.0-2.dsc
4f02d427016eb92bfd6948312ab48e83cec4bdcb 17992 sqlite3_3.22.0-2.debian.tar.xz
95f914b48b86c76704a02b853b11dcc49e2b15c5 62064 lemon-dbgsym_3.22.0-2_amd64.deb
4a5247563a4f73e1a0415264aef3701f111a74e2 152988 lemon_3.22.0-2_amd64.deb
e3a7fb123f5c74d27c2df8e50b16086fd625a024 1375912 libsqlite3-0-dbgsym_3.22.0-2_amd64.deb
6a4762925d021913659d5cc93300cacd07f8f4a0 595364 libsqlite3-0_3.22.0-2_amd64.deb
ff1f13f42b35df6040c60d3ac61b43fe6707f7ad 730080 libsqlite3-dev_3.22.0-2_amd64.deb
eeb559e439554512a2a653dad810a2770d393ba7 56168 libsqlite3-tcl-dbgsym_3.22.0-2_amd64.deb
3c64b6e40f06064aa1c0b4dec2b378de9fcff6c4 120324 libsqlite3-tcl_3.22.0-2_amd64.deb
423ad01b7325aeb3e4d07cc08ebf3924a6ea3dbb 2993800 sqlite3-dbgsym_3.22.0-2_amd64.deb
b752202702bc96bb2244a8b1ff25e2d4851fd530 3690172 sqlite3-doc_3.22.0-2_all.deb
add95c0fc21a0d2a8a620b852611237e67704ada 9000 sqlite3_3.22.0-2_amd64.buildinfo
f768be4625873c43f596081e526a9fda44c80acf 850800 sqlite3_3.22.0-2_amd64.deb
Checksums-Sha256:
c949e336cf7459cd21f1c6c58ca39a254806b35f74a312ae483dd4beed79d71f 2397 sqlite3_3.22.0-2.dsc
2227ca598d994ecfa71c160245c1df7be9d25dce02d4fcb1ffb7608004d67f43 17992 sqlite3_3.22.0-2.debian.tar.xz
bb6692488cc88fa194ed23fcb4c6058b8d3147494531af1492b9c682f7877be5 62064 lemon-dbgsym_3.22.0-2_amd64.deb
56a6dbd351878051943ae096d76a53769a95f283137f59c83edb0116cef1f7ad 152988 lemon_3.22.0-2_amd64.deb
d4f6f176adac90d79678b3c17a999cd2728c506b73befeb61dbf772a9f69ecc3 1375912 libsqlite3-0-dbgsym_3.22.0-2_amd64.deb
190973a42ab79efc2950b1f18b4662a5f3f333d9551f812101d820c07c9c95ef 595364 libsqlite3-0_3.22.0-2_amd64.deb
d744a93b908854ac445eb01ee69b69d928714294138222c321f0d9282b704917 730080 libsqlite3-dev_3.22.0-2_amd64.deb
a6df75c7c6496a2a680998b7006e582f8b1141818fbca8afb04df154c746dec0 56168 libsqlite3-tcl-dbgsym_3.22.0-2_amd64.deb
18714f6da1778c9452f0aa113cbb7df5fe6794f28eff13f89b4a7693a6dd93c2 120324 libsqlite3-tcl_3.22.0-2_amd64.deb
03a942fab330abcd3dae08dd2c5146cd4b706bc7df613958e10c98cdf2a19024 2993800 sqlite3-dbgsym_3.22.0-2_amd64.deb
d64a9caa0153ca95acb835e1ce653013c82c5d8b07b414b0fccb44082e1707bc 3690172 sqlite3-doc_3.22.0-2_all.deb
8e1ba6d04deb707cedb89807884a7f477036185a228b865aa048dda1dc2dfe4b 9000 sqlite3_3.22.0-2_amd64.buildinfo
e0c253f110ca5fab2e4af123f55ef19b09522a2cafec836de09f734f7c959449 850800 sqlite3_3.22.0-2_amd64.deb
Files:
09b8904ecdcdd60c24e8cf0dffb7ff7d 2397 devel optional sqlite3_3.22.0-2.dsc
468eb0a436f2639b61b96d42f9de2fe9 17992 devel optional sqlite3_3.22.0-2.debian.tar.xz
ebf3581908ef6d5e598bdc34d8ba4b06 62064 debug optional lemon-dbgsym_3.22.0-2_amd64.deb
a3fe6e0d4e4a7982fd91725d565dd40d 152988 devel optional lemon_3.22.0-2_amd64.deb
4c3c1cbc6f96e28195ce1def74794322 1375912 debug optional libsqlite3-0-dbgsym_3.22.0-2_amd64.deb
b918209bab7be8b552107da314d435e8 595364 libs optional libsqlite3-0_3.22.0-2_amd64.deb
9654f072a4859bcfb408a9188b8504d8 730080 libdevel optional libsqlite3-dev_3.22.0-2_amd64.deb
1d08842c444e3dd275be30ecb87c2ca5 56168 debug optional libsqlite3-tcl-dbgsym_3.22.0-2_amd64.deb
d57cdea4e4fb3ca6208ed82841571cb6 120324 interpreters optional libsqlite3-tcl_3.22.0-2_amd64.deb
e6c5ca56290f5f79e90f25f5a7f1b068 2993800 debug optional sqlite3-dbgsym_3.22.0-2_amd64.deb
e3b28137f5ecee35219b28d051ec5004 3690172 doc optional sqlite3-doc_3.22.0-2_all.deb
2fd7f437ed6a7c4861de3239cb3d1514 9000 devel optional sqlite3_3.22.0-2_amd64.buildinfo
e252b75125a9206ab481cb9cb1c00169 850800 database optional sqlite3_3.22.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlqs5UEACgkQ3OMQ54ZM
yL8fNQ//fib8FJV7XjiLLeb8BoNYp5hzW8H7Vup6qGyzh4fgU/dnnMJMcmIoB1Y2
ti0eG7Gb8xlyTC+jpCMHP/cja+B2pGCK8oNmQVzxLmtCQ5ZjkoCkAPGrEH3jQAEH
jJPRJDLVoMjxRk0Aw/bCsFn42sXaiqZ/WMzIhVdR04vjV+YYo9/Vqmj3uAUfrHdz
QWglQkM9NZepBpoOOhOyi1YpcMwCwd4yDZkwompOv2r9t0wJXV/lB78q/G1M3vXw
wzpmsqmOQOfaK2r3+azgWFHwYRxJcB1TySW83m2XiCEZtcwyawcyybSeeEbbpq5C
Ik07GGR0i3f67quqz3vU/QbUlybse3X03tl5q7akDkUr1xH4d55xaoA6CiT88khD
+EZWhJd2a1H1Igt4Ps4S7sFsXST6xjoFsWhxQ0YgnDrMRiMvSncmzck30YYpJqRQ
XOs8IMZYzcOFIdkWbOva5JGojq5w7TyBZ2hTstimtA0soP3xYyBYW8bpqKBtH2ZE
WIrioHWK7UfJvLHTH1x6/xACHndm7GAjoL+xmDAjy+JF4SW4SC/aXz+TMEBe9MLw
CjaWJoiK+1rV7b7oBcv8/+p1QbEt7yaFtQkPY3AIkZnT5EKjhBlnLm6HeWImdGJi
gSTMc10XMIP3BYbTP2BuPO9cGUaCOb/Jr0QuX5Y/kGVgJ3qr/yI=
=642j
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 Jun 2018 07:28:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon