Stabilize dev-db/sqlite-3.25.3.
ia64/ppc/ppc64 stable
sparc stable
HPPA stable (by Jeroen Roovers).
Converting bug to security bug. =dev-db/sqlite-3.25.3 closes a remote code execution vulnerability named "Magellan".
*** Bug 673154 has been marked as a duplicate of this bug. ***
I think 3.25.3 have no Fix for that Magellan Bug. Tencent and a German Newspaper wrote that Version 3.26.0 is secure. >If your product uses SQLite, please update to 3.26.0 Because of that, i think 3.25.3 is still vulnerable. Release Log of 3.25.3 was released at 5. November and list some fixes. I think that was other minor issues. See https://www.sqlite.org/releaselog/3_25_3.html But i did not compare the patch or source Code or if you try to fix the issue in 3.25.3. Stay fine Gentoo Users and Happy Holidays!
Sorry for spam that Bug. It seems that 3.25.3 fix the Crash for sqlite but still allow to corrupt the Database. And 3.26.0 introduce Shadow-Tables and a Check for Injection to avoid a corrupt Database. https://twitter.com/11rcombs/status/1073794230236209152 Google fix there Browsers with an Update to Version 3.25.3, too. This had confused me.
dev-db/sqlite-3.26.0 will be added, but security fix is present in dev-db/sqlite-3.25.3. In https://sqlite.org/releaselog/3_25_3.html relevant fix is described as: 3. Strengthen defenses against deliberately corrupted database files. Relevant commit on branch "branch-3.25" (https://sqlite.org/src/timeline?r=branch-3.25) is: Add extra defenses against strategically corrupt databases to fts3/4. https://sqlite.org/src/info/940f2adc8541a838 Fix also has been hodiernally backported in 4 other branches: "branch-3.9", "branch-3.18", "branch-3.19", "branch-3.22". In https://sqlite.org/releaselog/3_26_0.html relevant new features are described as: 3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL. 4. Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled." So new explicit call to sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL) in applications wanting additional protection will be needed.
alpha stable
arm stable
s390 stable
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1de0c0836625f3a11d173ed910cefd6ebc1d8e56 commit 1de0c0836625f3a11d173ed910cefd6ebc1d8e56 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> AuthorDate: 2019-02-27 22:09:21 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-02-27 22:35:19 +0000 dev-db/sqlite: Delete old versions (<3.25.3). Bug: https://bugs.gentoo.org/672942 Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Signed-off-by: Mike Gilbert <floppym@gentoo.org> dev-db/sqlite/Manifest | 9 - .../sqlite-3.21.0-nonfull_archive-build.patch | 14 - .../files/sqlite-3.23.0-full_archive-build.patch | 407 --------------------- ...to_table-valued_functions_within_triggers.patch | 24 -- .../files/sqlite-3.23.1-full_archive-tests.patch | 224 ------------ ...to_table-valued_functions_within_triggers.patch | 14 - ...ll_archive-archive_command_paths_handling.patch | 14 - .../files/sqlite-3.24.0-full_archive-build.patch | 407 --------------------- ...ll_archive-archive_command_paths_handling.patch | 14 - ...low_window_functions_in_recursive_queries.patch | 49 --- ...low_window_functions_in_recursive_queries.patch | 19 - dev-db/sqlite/sqlite-3.23.1.ebuild | 309 ---------------- dev-db/sqlite/sqlite-3.24.0.ebuild | 308 ---------------- dev-db/sqlite/sqlite-3.25.2.ebuild | 322 ---------------- 14 files changed, 2134 deletions(-)
This issue was resolved and addressed in GLSA 201904-21 at https://security.gentoo.org/glsa/201904-21 by GLSA coordinator Aaron Bauman (b-man).
