Debian Bug report logs -
#441233
CVE-2007-1888 possible code execution via sqlite_decode_binary
Reported by: Nico Golde <nion@debian.org>
Date: Fri, 7 Sep 2007 15:45:04 UTC
Severity: grave
Tags: security
Found in version sqlite/2.8.17-2
Fixed in versions sqlite/2.8.17-2.1, sqlite/2.8.17-3
Done: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#441233; Package sqlite.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: sqlite
Version: 2.8.17-2
Severity: grave
Tags: security
Hi,
A CVE was published for sqlite2:
CVE-2007-1888[0]:
Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite
2, as used by PHP 4.x through 5.x and other applications, allows
context-dependent attackers to execute arbitrary code via an empty value of the
in parameter. NOTE: some PHP installations use a bundled version of sqlite
without this vulnerability. The SQLite developer has argued that this issue
could be due to a misuse of the sqlite_decode_binary() API.
I already a a fixed package ready so I am going to 0-day NMU this package to fix
this.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#441233; Package sqlite.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Message #10 received at 441233@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is the patch for my NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/sqlite_2.8.17-2_2.8.17-2.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[sqlite_2.8.17-2_2.8.17-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 441233-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite
Source-Version: 2.8.17-2.1
We believe that the bug you reported is fixed in the latest version of
sqlite, which is due to be installed in the Debian FTP archive:
libsqlite-tcl_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite-tcl_2.8.17-2.1_i386.deb
libsqlite0-dev_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite0-dev_2.8.17-2.1_i386.deb
libsqlite0_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite0_2.8.17-2.1_i386.deb
sqlite-doc_2.8.17-2.1_all.deb
to pool/main/s/sqlite/sqlite-doc_2.8.17-2.1_all.deb
sqlite_2.8.17-2.1.diff.gz
to pool/main/s/sqlite/sqlite_2.8.17-2.1.diff.gz
sqlite_2.8.17-2.1.dsc
to pool/main/s/sqlite/sqlite_2.8.17-2.1.dsc
sqlite_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/sqlite_2.8.17-2.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated sqlite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 07 Sep 2007 17:47:03 +0200
Source: sqlite
Binary: libsqlite0-dev libsqlite0 sqlite sqlite-doc libsqlite-tcl
Architecture: source i386 all
Version: 2.8.17-2.1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Nico Golde <nion@debian.org>
Description:
libsqlite-tcl - SQLite TCL bindings
libsqlite0 - SQLite shared library
libsqlite0-dev - SQLite development files
sqlite - command line interface for SQLite
sqlite-doc - SQLite documentation
Closes: 441233
Changes:
sqlite (2.8.17-2.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included 01-fix-CVE-2007-1888.patch to fix buffer overflow
in encode.c (CVE-2007-1888) (Closes: #441233).
Files:
7510d0500724537dc1f19ad8b023f8a5 745 devel optional sqlite_2.8.17-2.1.dsc
2865f785eb24c5ef2da2e4d9164d1195 213866 devel optional sqlite_2.8.17-2.1.diff.gz
1642e377e97ccc010d9abf44b42b5066 167208 doc optional sqlite-doc_2.8.17-2.1_all.deb
eabe5d0bbc4bc53269dd8f6b316d7526 20844 misc optional sqlite_2.8.17-2.1_i386.deb
a5656144a7c94143529c59031a832568 180106 libs optional libsqlite0_2.8.17-2.1_i386.deb
aa26f2c8a05e757943248e1ffdff3ec5 208948 libdevel optional libsqlite0-dev_2.8.17-2.1_i386.deb
f7a4a1123444879f7608ff68f45c71f6 13232 interpreters optional libsqlite-tcl_2.8.17-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG4XSvHYflSXNkfP8RAke5AJ9j+qk7CGHeQNKQSdJxF8Bg0HVUOACgmcOR
Uyha/22S58zHpm0XP8GZMBg=
=lPg/
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#441233; Package sqlite.
(full text, mbox, link).
Acknowledgement sent to Laszlo Boszormenyi <gcs@debian.hu>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Message #20 received at 441233@bugs.debian.org (full text, mbox, reply):
Hi Nico!
On Fri, 2007-09-07 at 17:44 +0200, Nico Golde wrote:
> A CVE was published for sqlite2:
> CVE-2007-1888[0]:
[...]
> I already a a fixed package ready so I am going to 0-day NMU this package to fix
> this.
I understand that this is a security fix, but I don't think everyone
use sqlite_decode_binary() so it isn't that big security threat. I mean,
I would have appreciated if you give me some hours before the NMU. :-|
Regards,
Laszlo/GCS
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#441233; Package sqlite.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Message #25 received at 441233@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Laszlo Boszormenyi <gcs@debian.hu> [2007-09-07 20:11]:
> On Fri, 2007-09-07 at 17:44 +0200, Nico Golde wrote:
> > A CVE was published for sqlite2:
> > CVE-2007-1888[0]:
> [...]
> > I already a a fixed package ready so I am going to 0-day NMU this package to fix
> > this.
> I understand that this is a security fix, but I don't think everyone
> use sqlite_decode_binary() so it isn't that big security threat. I mean,
> I would have appreciated if you give me some hours before the NMU. :-|
Ok, sorry for this. I first thought you are no DD because of
your email address and because of that thought you need a
sponsor and that way it will take longer to get an update.
Sorry again, will wait longer next time.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 441233-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite
Source-Version: 2.8.17-3
We believe that the bug you reported is fixed in the latest version of
sqlite, which is due to be installed in the Debian FTP archive:
libsqlite-tcl_2.8.17-3_i386.deb
to pool/main/s/sqlite/libsqlite-tcl_2.8.17-3_i386.deb
libsqlite0-dev_2.8.17-3_i386.deb
to pool/main/s/sqlite/libsqlite0-dev_2.8.17-3_i386.deb
libsqlite0_2.8.17-3_i386.deb
to pool/main/s/sqlite/libsqlite0_2.8.17-3_i386.deb
sqlite-doc_2.8.17-3_all.deb
to pool/main/s/sqlite/sqlite-doc_2.8.17-3_all.deb
sqlite_2.8.17-3.diff.gz
to pool/main/s/sqlite/sqlite_2.8.17-3.diff.gz
sqlite_2.8.17-3.dsc
to pool/main/s/sqlite/sqlite_2.8.17-3.dsc
sqlite_2.8.17-3_i386.deb
to pool/main/s/sqlite/sqlite_2.8.17-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated sqlite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 08 Sep 2007 10:53:33 +0300
Source: sqlite
Binary: libsqlite0-dev libsqlite0 sqlite sqlite-doc libsqlite-tcl
Architecture: source i386 all
Version: 2.8.17-3
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description:
libsqlite-tcl - SQLite TCL bindings
libsqlite0 - SQLite shared library
libsqlite0-dev - SQLite development files
sqlite - command line interface for SQLite
sqlite-doc - SQLite documentation
Closes: 412582 426155 441233
Changes:
sqlite (2.8.17-3) unstable; urgency=medium
.
* Accept Nico's quick security fix related upload (closes: #441233).
* Add Italian and Catalan debconf translations, thanks to Luca Monducci and
Jorda Polo respectively (closes: #426155, #412582).
Files:
d769866d893579ccf58d6dcf6be34b23 741 devel optional sqlite_2.8.17-3.dsc
b9149650d5090d2e089a52fece3f8e0c 224387 devel optional sqlite_2.8.17-3.diff.gz
94388d53712bdad2093c0ccff44b3cb9 154702 doc optional sqlite-doc_2.8.17-3_all.deb
3ebf26a69d677dfaae848265c6b85ea5 20938 misc optional sqlite_2.8.17-3_i386.deb
fb595bd96dae7029e8281f797038dbf1 180796 libs optional libsqlite0_2.8.17-3_i386.deb
8df9f7698f913aeab9d6c92e44a5d490 209066 libdevel optional libsqlite0-dev_2.8.17-3_i386.deb
18c9c82d270c31f58c2e20cf39baea24 13338 interpreters optional libsqlite-tcl_2.8.17-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG4mpxMDatjqUaT90RAn/XAJ4kg+J6fqyusaOUASqumYVges124wCdFmcX
4ywY4UxPvQOJSiZfeT11ly8=
=BTy2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 08:32:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:07:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon