CVE-2018-8740 (https://nvd.nist.gov/vuln/detail/CVE-2018-8740): In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c. @Maintainers please advice best way to go. Thank you
*** Bug 650950 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be543fafedd32992806bc47f634f8c8b7af488fe commit be543fafedd32992806bc47f634f8c8b7af488fe Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2018-04-15 18:20:32 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-04-15 18:20:49 +0000 dev-db/sqlite: version bump. Bug: https://bugs.gentoo.org/650952 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-db/sqlite/Manifest | 3 + dev-db/sqlite/sqlite-3.23.1.ebuild | 307 +++++++++++++++++++++++++++++++++++++ 2 files changed, 310 insertions(+)}
Hi there As per https://www.securityfocus.com/bid/103466, versions below 3.23.1 are affected by this CVE. I've bumped the ebuild. Arfrever can you double check the ebuild I've just commited? If you're ok with it, please CC arches in to this bug for stabilisation to proceed.
I have not forgotten about this bug and I have been working on ebuild and updated patch(es). (In reply to Patrice Clement from comment #3) *-build.patch are always needed and must not be dropped. Revert this commit immediately.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4) > I have not forgotten about this bug and I have been working on ebuild and > updated patch(es). > Why haven't you posted a comment on this bug then?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01db7ff78e07680699a775d201159c527e2a671d commit 01db7ff78e07680699a775d201159c527e2a671d Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2018-04-15 19:34:18 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-04-15 19:34:56 +0000 dev-db/sqlite: remove version 3.23.1. Bug: https://bugs.gentoo.org/650952 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-db/sqlite/Manifest | 3 - dev-db/sqlite/sqlite-3.23.1.ebuild | 307 ------------------------------------- 2 files changed, 310 deletions(-)}
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4) > *-build.patch are always needed and must not be dropped. > Revert this commit immediately. Done. Sorry but your comment is a bit too easy. This is a major CVE that affects all current sqlite versions in the tree. As you know, sqlite is a critical building-block for other software across the tree. We can't afford a one month timeout until maintainers wake up and decide to put a patch together. Get it fixed ASAP.
SQLite 3.23.1 was released just 4 days ago. SQLite 3.23.0 was released several days earlier, and as expected, it had several regressions. My updated ebuild should be ready tomorrow.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #8) > My updated ebuild should be ready tomorrow. Ping.
Ebuild was already committed.
Stabilize dev-db/sqlite-3.23.1.
Still not happy about bug 610666 (and somewhat bug 653450); but as this is a security stabilization (unlike sqlite-3.22.0 before): arm64 stable PS: other arches haven't done anything as package list is empty and sanity-check therefore isn't done by stable-bot.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc87fbd48db5794ba11ee4c62bdf2f2c6c327b4c commit fc87fbd48db5794ba11ee4c62bdf2f2c6c327b4c Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-26 16:39:54 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-26 20:52:28 +0000 dev-db/sqlite: stable 3.23.1 for sparc Bug: https://bugs.gentoo.org/650952 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-db/sqlite/sqlite-3.23.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82accf4780e2ad9a5ee75ef6b0ffea7f3827f02e commit 82accf4780e2ad9a5ee75ef6b0ffea7f3827f02e Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-27 22:50:30 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-27 22:50:38 +0000 dev-db/sqlite: stable 3.23.1 for ia64, bug #650952 Bug: https://bugs.gentoo.org/650952 Package-Manager: Portage-2.3.31, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" dev-db/sqlite/sqlite-3.23.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
arm stable
Stable on alpha.
ppc64 stable
ppc stable
Final arches are exp. GLSA Vote: No @maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68ddcc90b13fe5415a63154d0eba7fdc455fe60b commit 68ddcc90b13fe5415a63154d0eba7fdc455fe60b Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-05-25 17:25:02 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-05-25 17:25:02 +0000 dev-db/sqlite: Drop old wrt bug #650952 (long delay) Bug: https://bugs.gentoo.org/650952 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-db/sqlite/Manifest | 9 - dev-db/sqlite/sqlite-3.20.1-r1.ebuild | 275 ------------------------------ dev-db/sqlite/sqlite-3.21.0.ebuild | 284 ------------------------------- dev-db/sqlite/sqlite-3.22.0.ebuild | 303 ---------------------------------- 4 files changed, 871 deletions(-)
m68k/s390/ah stable, hppa lost its stable
