Debian Bug report logs -
#783968
sqlite3: CVE-2015-3414 CVE-2015-3415 CVE-2015-3416
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 1 May 2015 17:54:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions sqlite3/3.8.7.4-1, sqlite3/3.8.7.1-1
Fixed in versions sqlite3/3.8.9-1, sqlite3/3.8.7.1-1+deb8u1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#783968; Package src:sqlite3.
(Fri, 01 May 2015 17:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 01 May 2015 17:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.8.7.4-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for sqlite3.
CVE-2015-3414[0]:
| SQLite before 3.8.9 does not properly implement the dequoting of
| collation-sequence names, which allows context-dependent attackers to
| cause a denial of service (uninitialized memory access and application
| crash) or possibly have unspecified other impact via a crafted COLLATE
| clause, as demonstrated by COLLATE"""""""" at the end of a SELECT
| statement.
CVE-2015-3415[1]:
| The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not
| properly implement comparison operators, which allows
| context-dependent attackers to cause a denial of service (invalid free
| operation) or possibly have unspecified other impact via a crafted
| CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE
| statement.
CVE-2015-3416[2]:
| The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does
| not properly handle precision and width values during floating-point
| conversions, which allows context-dependent attackers to cause a
| denial of service (integer overflow and stack-based buffer overflow)
| or possibly have unspecified other impact via large integers in a
| crafted printf function call in a SELECT statement.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3414
[1] https://security-tracker.debian.org/tracker/CVE-2015-3415
[2] https://security-tracker.debian.org/tracker/CVE-2015-3416
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 01 May 2015 21:48:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 01 May 2015 21:48:10 GMT) (full text, mbox, link).
Message #10 received at 783968-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Source-Version: 3.8.9-1
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 21 Apr 2015 15:28:23 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0-dbg libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source all amd64
Version: 3.8.9-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
lemon - LALR(1) Parser Generator for C or C++
libsqlite3-0 - SQLite 3 shared library
libsqlite3-0-dbg - SQLite 3 debugging symbols
libsqlite3-dev - SQLite 3 development files
libsqlite3-tcl - SQLite 3 Tcl bindings
sqlite3 - Command line interface for SQLite 3
sqlite3-doc - SQLite 3 documentation
Closes: 783968
Changes:
sqlite3 (3.8.9-1) unstable; urgency=high
.
* New upstream release.
* Fixes CVE-2015-3414 , CVE-2015-3415 and CVE-2015-3416 (closes: #783968).
* Rework 20-hurd-locking-style.patch due to upstream changes.
Checksums-Sha1:
e652c0d59c80dbffbf6ac39a43eedc1d4ae5bf85 2486 sqlite3_3.8.9-1.dsc
b5ca8c00de5ec0b7ef5e6bb8ae605ed6daad1b09 2948676 sqlite3_3.8.9.orig-www.tar.xz
dbb756353d8ab3448dfabc9ac5efdb7e7f375487 3518648 sqlite3_3.8.9.orig.tar.xz
84e772d4b1601ccb9cb5e2481010026859051657 16452 sqlite3_3.8.9-1.debian.tar.xz
795a081252e135450d99b725fee782d75b34d8cf 3046018 sqlite3-doc_3.8.9-1_all.deb
bb974a1712b46033690da91df54087c09a4cc68b 120134 lemon_3.8.9-1_amd64.deb
b7647fffb2f0f082b8d9bb3e0f74809bc950fb38 106964 sqlite3_3.8.9-1_amd64.deb
931961f4ee7223038fc347e2e68310d5a82a099f 1027910 libsqlite3-0-dbg_3.8.9-1_amd64.deb
b82cd6fb93c76cdcdd739f0aafaa98330ce6dd87 445866 libsqlite3-0_3.8.9-1_amd64.deb
7121868db214b2e3d7ac35c422ba5e8c69afbd2f 546714 libsqlite3-dev_3.8.9-1_amd64.deb
6908ad6e5fa43d7bcbb9d6513c1419a5c1723fc2 90428 libsqlite3-tcl_3.8.9-1_amd64.deb
Checksums-Sha256:
57a056eda0d19aa96df101d4111bc80755d9e41d80a5749275f64860fcafb55a 2486 sqlite3_3.8.9-1.dsc
2e841dc8ad46ea8ee326e8a04410315485688a6c8690115873c069ebc6aafb9a 2948676 sqlite3_3.8.9.orig-www.tar.xz
df2c8f3bf56c0b973e82ae83ec8b5f60b641d3f260b74b2bd33612da15f2f620 3518648 sqlite3_3.8.9.orig.tar.xz
0d2266dce1a3bc7672fe67e89cab31fc18a1920bda7bcbb88921c06c7e138fcb 16452 sqlite3_3.8.9-1.debian.tar.xz
dc1142df33e478c49c08bfbc13b109262f64bb89f45fb40d61bbe006bc22562a 3046018 sqlite3-doc_3.8.9-1_all.deb
01c2f21bac4524a73bc3a6cdd7b89cc0e03435f27dad4795e52fb27601477804 120134 lemon_3.8.9-1_amd64.deb
5eb4ef5b76d50aa05c6bb377c745d5f2330390c189b4a7b3353a5f17fe1ecae4 106964 sqlite3_3.8.9-1_amd64.deb
dcededcfbf77955bae8dc107c54ba75578eae40800a1177162a5dfb2eea51223 1027910 libsqlite3-0-dbg_3.8.9-1_amd64.deb
9ed5d6314d28d3e5755333e516f09e76aaa1bd78844764fc662200dcbd5ecf49 445866 libsqlite3-0_3.8.9-1_amd64.deb
0018e0fbb8e482fd714dd880bb139a1c48c48571a064c8af574d03bb838e6a58 546714 libsqlite3-dev_3.8.9-1_amd64.deb
f0e7d1aef2ed1372f15d9b49bce171ddb35d752697c82e3a958dce51907088a1 90428 libsqlite3-tcl_3.8.9-1_amd64.deb
Files:
fc8bb76a1cd6ebd16c96b74c35c2cf81 2486 devel optional sqlite3_3.8.9-1.dsc
1159d69bcf3d067a563c3821fca54be5 2948676 devel optional sqlite3_3.8.9.orig-www.tar.xz
6779309fded5dc8e25d3f4c7fdce440e 3518648 devel optional sqlite3_3.8.9.orig.tar.xz
e5266af9337401964573aae7b10a2b6b 16452 devel optional sqlite3_3.8.9-1.debian.tar.xz
bddde3cfcd29794dbe121249e5a16ae1 3046018 doc optional sqlite3-doc_3.8.9-1_all.deb
d8c8a7244201dce0f99d1c1c89f3df6c 120134 devel optional lemon_3.8.9-1_amd64.deb
5c522b7394e31e96fd919d272d1532e2 106964 database optional sqlite3_3.8.9-1_amd64.deb
6bbb9fc849afe307c7ef3ce71921218e 1027910 debug extra libsqlite3-0-dbg_3.8.9-1_amd64.deb
e7e6fac159ad127c44bef55ac3dc2ac3 445866 libs standard libsqlite3-0_3.8.9-1_amd64.deb
214a02614cb48abaf7aeec5998075ef1 546714 libdevel optional libsqlite3-dev_3.8.9-1_amd64.deb
e51d9c4a01bca91219ec8ee19d717758 90428 interpreters optional libsqlite3-tcl_3.8.9-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVQ9faAAoJENzjEOeGTMi/SrYP/0kb4jQiBqx/QIiOhR4H+63o
3C6Pg4jJscgWOnzaTpi80QhfLTO/vFi7Ki5UN02Pc/lP7AxxCtp8/Vul3/yg08Qn
gBOhJ5kA3DTQhlcMBF+l5lwdIhJQltwk5jl2MFsU+8qbbt6NQkFpMJx5xFSzN6An
Crd36BkoaVrRWgidAlUo7AJj1qstMAfg4v4wmfmSvapyqRoHcwLzZ4jJP4VNYD/d
GdB6015oQi76GxkIpPko0gBZ1gM6aEh9qdh8tofUrslaJT+QMUaI/YPymeh9UeRY
k0PNlwPCnB7k8xgw1eVjU8nlwQv0hZ1z6M4OKL14Dx2mnTMtwQJWMpWcBBCwGhaL
gkh6HW5sHomOdwKlNnJlvBn0xheP35Djuy6GRJTDuYB9OyJxeyTCwMiFVriy1WKB
QKg6rY+5au9YlyRqBEjQqmTHpHKel2ex/r0OSGbCTnXYE8EPsXjMf9rs+NkHBDan
E/0m0LBruiw6PcpGWpHAybVnFPmaje4WhgNAfUXHSjwlWY6+Yd5in54N6egexM/+
qsBut5sJgGIIZSqoVZI8xnZZFZI2cuGONQOGJmVXqWIWMMTdCIaEAdqpBV1Bgi+e
1RYXwl+vjZUpJNDiX7Nd0hMrSn0N/St06DSOaVreGVM5KorbToNL0iAu3PTDL3FS
LvRr5vRHuV40qzZiAFd7
=ZnLp
-----END PGP SIGNATURE-----
Marked as fixed in versions sqlite3/3.8.7.1-1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 May 2015 14:51:13 GMT) (full text, mbox, link).
Marked as found in versions sqlite3/3.8.7.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 May 2015 15:24:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 23 Jun 2015 07:31:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:28:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon