1) CVE-2020-11655 Description: "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled." Bug: https://www.sqlite.org/src/tktview?name=af4556bb5c Patch: https://www.sqlite.org/src/info/4a302b42c7bf5e11 2) CVE-2020-11656 Description: "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement." Patch: https://www.sqlite.org/src/info/d09f8c3621d5f7f8 Patch: https://www.sqlite.org/src/info/b64674919f673602
@maintainer(s), please create an appropriate ebuild with the patches used if you feel they are not too invasive. Otherwise we will wait for a new release.
CVE-2019-20218 (https://nvd.nist.gov/vuln/detail/CVE-2019-20218): selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
(In reply to GLSAMaker/CVETool Bot from comment #2) > CVE-2019-20218 (https://nvd.nist.gov/vuln/detail/CVE-2019-20218): > selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack > unwinding even after a parsing error. Ignore this, actually.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df401c888693da5b3d295e0e0bfc15d20c88b798 commit df401c888693da5b3d295e0e0bfc15d20c88b798 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2020-05-23 10:24:31 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-05-24 19:07:23 +0000 dev-db/sqlite: version bump to 3.32.0 Closes: https://bugs.gentoo.org/724644 Bug: https://bugs.gentoo.org/716748 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/15922 dev-db/sqlite/Manifest | 3 + dev-db/sqlite/sqlite-3.32.0.ebuild | 388 +++++++++++++++++++++++++++++++++++++ 2 files changed, 391 insertions(+)
Let us know when ready for stable.
* CVE-2020-13630 Description: "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature." * CVE-2020-13631 Description: "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c." * CVE-2020-13632 Description: "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query."
* CVE-2020-13434 Description: "SQLite >=3.8.3 <3.32.1 has an integer overflow in sqlite3_str_vappendf in printf.c." Report: https://sqlite.org/src/info/23439ea582241138 Commit: https://sqlite.org/src/info/d08d3405878d394e * CVE-2020-13435 Description: "SQLite <3.32.1 has a segmentation fault in sqlite3ExprCodeTarget in expr.c." Report: https://sqlite.org/src/info/7a5279a25c57adf1 Commit: https://sqlite.org/src/info/572105de1d44bca4
*** Bug 725118 has been marked as a duplicate of this bug. ***
* CVE-2020-13871 Description: "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late."
* CVE-2020-13871 Report: https://sqlite.org/src/info/c8d3b9f0a750a529 "Use after free in resetAccumulator." Commit (trunk): https://sqlite.org/src/info/0b42a2277e5bf527 Commit (branch-3.32): https://sqlite.org/src/info/79eff1d0383179c4
Other fixes in window-function parse-tree rewriting: Commit (trunk): https://sqlite.org/src/info/c4072267dc870830 Commit (trunk): https://sqlite.org/src/info/3de19ee22a179379 Commit (trunk): https://sqlite.org/src/info/c96914ea02aa5be4 Report: https://sqlite.org/src/info/0899cf62f597d7e7 "Segfault in sqlite3VdbeExec" Commit (trunk): https://sqlite.org/src/info/2cddb24e911588d9 Commit (trunk): https://sqlite.org/src/info/3926ff1725710070 Commit (trunk): https://sqlite.org/src/info/03b32be44d9d2783 Report: https://sqlite.org/src/info/1f6f353b684fc708 "Segfault in sqlite3VdbeExec" Commit (trunk): https://sqlite.org/src/info/8583c3483c1b1ab2 Commit (trunk): https://sqlite.org/src/info/0e021887a1307fa3 Commit (branch-3.32): https://sqlite.org/src/info/05418b2a4a6e6a94
(In reply to comment #10, comment #11 and other regressions) > * CVE-2020-13871 > > Report: https://sqlite.org/src/info/c8d3b9f0a750a529 > "Use after free in resetAccumulator." > Commit (trunk): https://sqlite.org/src/info/0b42a2277e5bf527 > Commit (branch-3.32): https://sqlite.org/src/info/79eff1d0383179c4 > > Other fixes in window-function parse-tree rewriting: > > Commit (trunk): https://sqlite.org/src/info/c4072267dc870830 > > Commit (trunk): https://sqlite.org/src/info/3de19ee22a179379 > > Commit (trunk): https://sqlite.org/src/info/c96914ea02aa5be4 > > Report: https://sqlite.org/src/info/0899cf62f597d7e7 > "Segfault in sqlite3VdbeExec" > Commit (trunk): https://sqlite.org/src/info/2cddb24e911588d9 > > Commit (trunk): https://sqlite.org/src/info/3926ff1725710070 > > Commit (trunk): https://sqlite.org/src/info/03b32be44d9d2783 > > Report: https://sqlite.org/src/info/1f6f353b684fc708 > "Segfault in sqlite3VdbeExec" > Commit (trunk): https://sqlite.org/src/info/8583c3483c1b1ab2 > > Commit (trunk): https://sqlite.org/src/info/0e021887a1307fa3 > > Commit (branch-3.32): https://sqlite.org/src/info/05418b2a4a6e6a94 > > Report: https://sqlite.org/src/info/e5504e987e419fb0 > "Segfault in sqlite3VdbeCursorMoveto" > Report: https://sqlite.org/src/info/f7d890858f361402 > "Segfault in moveToRoot" All above commits were reverted in trunk and branch "branch-3.32" (i.e. moved to different branches). New fixes: Commit (trunk): https://sqlite.org/src/info/6e6b3729e0549de0 "When an Expr object is changed and that Expr is referenced by an AggInfo, then also update the AggInfo. Also, persist all AggInfo objects until the Parse object is destroyed. This is a new fix for ticket [c8d3b9f0a750a529] that avoids the follow-on problems identified by tickets [0899cf62f597d7e7], [1f6f353b684fc708], [e5504e987e419fb0], and [f7d890858f361402]." Commit (branch-3.32): https://sqlite.org/src/info/44a58d6cb135a104
New fixes: Report: https://sqlite.org/src/info/7c6d876f84e6e7e2 "Use after free in resetAccumulator." Commit (trunk): https://sqlite.org/src/info/c29a9e484e1dd245 Commit (branch-3.32): https://sqlite.org/src/info/dafd2466a10f68ac Commit (trunk): https://sqlite.org/src/info/65179814aa0ae592 Commit (branch-3.32): https://sqlite.org/src/info/7e2833fb2be8e7df Commit (trunk): https://sqlite.org/src/info/094dcfe779613301 Commit (branch-3.32): https://sqlite.org/src/info/d31850fe50420cb0 Report: https://sqlite.org/src/info/b706351c "Segfault in sqlite3Select" Commit (trunk): https://sqlite.org/src/info/32a88bdd4be5acdc Commit (trunk): https://sqlite.org/src/info/44e573ecd5c2b601 Commit (trunk): https://sqlite.org/src/info/9a4a40c45feb2bb8 Report: https://bugs.chromium.org/p/chromium/issues/detail?id=1094247 "sqlite3_ossfuzz_fuzzer: Null-dereference READ in resolveExprStep" Commit (trunk): https://sqlite.org/src/info/ad738286e2441b5e Report: https://sqlite.org/src/info/e367f31901ea8700 "Assertion `pExpr->pAggInfo==pAggInfo' failed." Commit (trunk): https://sqlite.org/src/info/cc1fffdeddf42240 Report: https://sqlite.org/src/info/9fb26d37cefaba40 "Assertion `flags3==pIn3->flags' failed." Commit (trunk): https://sqlite.org/src/info/90b1169d1b200d35 Report: https://sqlite.org/src/info/8f157e8010b22af0 "Heap Buffer Overflow in multiSelectOrderBy" Commit (trunk): https://sqlite.org/src/info/10fa79d00f8091e5 Commit (trunk): https://sqlite.org/src/info/a58a6d6fb241a50c Commit (branch-3.32): https://sqlite.org/src/info/d55b8e7993997e6b Commit (trunk): https://sqlite.org/src/info/4adc0a1b0d84c2df Commit (branch-3.32): https://sqlite.org/src/info/ea71fb7fabcce71a Commit (trunk): https://sqlite.org/src/info/4a340c9bc7d939ef Commit (branch-3.32): https://sqlite.org/src/info/b69b9c0628feac9f
CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. Patch: https://www.sqlite.org/src/info/10fa79d00f8091e5
New fixes: Commit (trunk): https://sqlite.org/src/info/cc888878ea8d5bc7 Commit (trunk): https://sqlite.org/src/info/be545f85a6ef09cc Commit (trunk): https://sqlite.org/src/info/6e0ffa2053124168
New fixes: Commit (trunk): https://sqlite.org/src/info/4d0cfb1236884349
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51cc692bb2bd55a85dd31fbcd972fe590879e429 commit 51cc692bb2bd55a85dd31fbcd972fe590879e429 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> AuthorDate: 2020-07-02 13:57:21 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-07-04 13:52:28 +0000 dev-db/sqlite: Security fixes. Bug: https://bugs.gentoo.org/716748 Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../files/sqlite-3.32.3-security_fixes.patch | 146 +++++++++++++++++++++ dev-db/sqlite/sqlite-3.32.3.ebuild | 1 + 2 files changed, 147 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ace56886862557c51491ff03ab6a82fb5373786 commit 1ace56886862557c51491ff03ab6a82fb5373786 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> AuthorDate: 2020-07-02 13:37:59 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-07-04 13:52:27 +0000 dev-db/sqlite: Version bump (3.32.3). Bug: https://bugs.gentoo.org/716748 Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Signed-off-by: Mike Gilbert <floppym@gentoo.org> dev-db/sqlite/Manifest | 3 + .../files/sqlite-3.32.1-full_archive-build_1.patch | 670 +++++++++++++++++++++ .../files/sqlite-3.32.1-full_archive-build_2.patch | 640 ++++++++++++++++++++ dev-db/sqlite/sqlite-3.32.3.ebuild | 393 ++++++++++++ 4 files changed, 1706 insertions(+)
Arfrever mentioned he wants to wait ~ a week because of the large number of changes.
sqlite-3.32.3: error: include location '/usr/include' is unsafe for cross-compilation [-Werror,-Wpoison-system-directories] sqlite-3.32.3: In file included from sqlite3.c:26208: sqlite-3.32.3: /usr/include/pthread.h:744:12: warning: declaration of built-in function '__sigsetjmp' requires the declaration of the 'jmp_buf' type, commonly provided in the header <setjmp.h>. [-Wincomplete-setjmp-declaration] sqlite-3.32.3: extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL; sqlite-3.32.3: ^ sqlite-3.32.3: 1 warning and 1 error generated. sqlite-3.32.3: make: *** [Makefile:787: sqlite3.lo] Error 1
(In reply to allenwebb from comment #19) Not regressions. File new bug, show `emerge --info` and attach full build log.
(In reply to Sam James from comment #18) > Arfrever mentioned he wants to wait ~ a week because of the large number of > changes. ping
arm64 stable
s390 stable
ppc64 stable
arm stable (I hit bug 733092 on the previous version too)
ppc stable
sparc stable
CVE-2020-15358 (https://nvd.nist.gov/vuln/detail/CVE-2020-15358): In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
This issue was resolved and addressed in GLSA 202007-26 at https://security.gentoo.org/glsa/202007-26 by GLSA coordinator Sam James (sam_c).
Stabilization not yet finished on HPPA.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #30) > Stabilization not yet finished on HPPA. Beat me to it!
hppa stable
Please cleanup.
Cleanup done in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47ae30c1ae0a6d5c9790f348dca36afed8589714.
