GNU bug report logs - #47231
sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Thu, 18 Mar 2021 11:43:02 UTC

Severity: normal

Tags: security

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47231 in the body.
You can then email your comments to 47231 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Thu, 18 Mar 2021 11:43:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 18 Mar 2021 11:43:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656,
 CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631,
 CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 18 Mar 2021 12:42:43 +0100
[Message part 1 (text/plain, inline)]
According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo
[0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Fri, 19 Mar 2021 10:31:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Tue, 23 Mar 2021 23:38:01 GMT) Full text and rfc822 format available.

Message #10 received at 47231 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47231 <at> debbugs.gnu.org
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Wed, 24 Mar 2021 00:37:00 +0100
[Message part 1 (text/plain, inline)]
One more:

CVE-2021-20227	23.03.21 18:15
A flaw was found in SQLite's SELECT query functionality (src/select.c).
This flaw allows an attacker who is capable of running SQL queries
locally on the SQLite database to cause a denial of service or possible
code execution by triggering a use-after-free. The highest threat from
this vulnerability is to system availability.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Wed, 24 Mar 2021 22:56:02 GMT) Full text and rfc822 format available.

Message #13 received at 47231 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47231 <at> debbugs.gnu.org
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Wed, 24 Mar 2021 23:54:52 +0100
[Message part 1 (text/plain, inline)]
I could test the graft with GNU Guix's test suite by manually replacing
the sqlite input with sqlite/fixed like so:

diff --git a/gnu/packages/package-management.scm
b/gnu/packages/package-management.scm
index 888f54322d..70f5c2dad3 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -389,7 +389,7 @@ $(prefix)/etc/init.d\n")))
       (inputs
        `(("bzip2" ,bzip2)
          ("gzip" ,gzip)
-         ("sqlite" ,sqlite)
+         ("sqlite" ,sqlite/fixed)
          ("libgcrypt" ,libgcrypt)
 
          ("guile" ,guile-3.0-latest)

It worked fine.

Is that enough of a test to graft in master?

Let me know and I will push.

Léo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Thu, 25 Mar 2021 11:28:02 GMT) Full text and rfc822 format available.

Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Léo Le Bouter <lle-bout <at> zaclys.net>, Ludovic
 Courtès <ludo <at> gnu.org>
Cc: 47231 <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 25 Mar 2021 12:27:28 +0100
Thanks!

I'm currently rebuilding IceCat with this change as an extra 
precaution, but that shouldn't take long.  If that doesn't cause 
problems this LGTM for master.

Ludo', do you think the Guix test described here is a good one?

Kind regards,

T G-R




Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Thu, 25 Mar 2021 11:28:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Thu, 25 Mar 2021 15:57:02 GMT) Full text and rfc822 format available.

Message #22 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 47231 <at> debbugs.gnu.org, Léo Le Bouter <lle-bout <at> zaclys.net>,
 bug-guix <at> gnu.org
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 25 Mar 2021 16:56:00 +0100
Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> I'm currently rebuilding IceCat with this change as an extra
> precaution, but that shouldn't take long.  If that doesn't cause 
> problems this LGTM for master.

OK, it worked, old IceCat writes new SQlite files.

Kind regards,

T G-R




Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Thu, 25 Mar 2021 15:57:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47231; Package guix. (Fri, 26 Mar 2021 01:26:01 GMT) Full text and rfc822 format available.

Message #28 received at 47231 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Léo Le Bouter <lle-bout <at> zaclys.net>, 47231 <at> debbugs.gnu.org
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 25 Mar 2021 21:23:56 -0400
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout <at> zaclys.net>
> Date: Thu, 18 Mar 2021 07:09:10 +0100
> Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].
>
> * gnu/packages/sqlite.scm (sqlite/fixed): New variable.
> (sqlite)[replacement]: Graft.
> ---
>  gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
> index eeb77749d8..cc378b359a 100644
> --- a/gnu/packages/sqlite.scm
> +++ b/gnu/packages/sqlite.scm
> @@ -65,6 +65,7 @@
>              (sha256
>               (base32
>                "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
> +   (replacement sqlite/fixed)
>     (build-system gnu-build-system)
>     (inputs `(("readline" ,readline)))
>     (native-inputs (if (hurd-target?)
> @@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
>  is in the public domain.")
>     (license license:public-domain)))
>  
> +(define-public sqlite/fixed
> +  (package/inherit sqlite

Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' should
*not* use 'package/inherit', since the package you're defining is the
replacement for the package you're inheriting from.

Otherwise, it looks good to me!

     Thanks,
       Mark




Reply sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
You have taken responsibility. (Fri, 26 Mar 2021 01:37:02 GMT) Full text and rfc822 format available.

Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Fri, 26 Mar 2021 01:37:02 GMT) Full text and rfc822 format available.

Message #33 received at 47231-done <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: Mark H Weaver <mhw <at> netris.org>, 47231-done <at> debbugs.gnu.org, Tobias
 Geerinckx-Rice <me <at> tobias.gr>
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Fri, 26 Mar 2021 02:36:16 +0100
[Message part 1 (text/plain, inline)]
On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
> 
> Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'
> should
> *not* use 'package/inherit', since the package you're defining is the
> replacement for the package you're inheriting from.
> 
> Otherwise, it looks good to me!
> 
>      Thanks,
>        Mark

Adapted, wasnt sure what package/inherit was for exactly.

Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> > I'm currently rebuilding IceCat with this change as an extra
> > precaution, but that shouldn't take long.  If that doesn't cause 
> > problems this LGTM for master.
> 
> OK, it worked, old IceCat writes new SQlite files.
> 
> Kind regards,
> 
> T G-R

Thank you both for the review!

Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 23 Apr 2021 11:24:07 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 341 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.