760690 – (CVE-2020-27207) <dev-db/sqlcipher-4.5.1: use after free leading to DoS (CVE-2020-27207)

Bug 760690 (CVE-2020-27207) - <dev-db/sqlcipher-4.5.1: use after free leading to DoS (CVE-2020-27207)

Summary: <dev-db/sqlcipher-4.5.1: use after free leading to DoS (CVE-2020-27207)

Status:	IN_PROGRESS

Alias:	CVE-2020-27207

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.telekom.com/resource/blob...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	836922 837008
Blocks:
	Show dependency tree

Reported:	2020-12-19 03:29 UTC by John Helmert III
Modified:	2024-06-28 10:57 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-12-19 03:29:26 UTC

CVE-2020-27207 (https://github.com/sqlcipher/sqlcipher/compare/v4.4.0...v4.4.1):

Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.


Maintainer, please bump to 4.4.1.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:25:02 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:33:34 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:41:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:49:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:05:31 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:13:49 UTC

Package list is empty or all packages have requested keywords.

Comment 7 Till Schäfer 2022-01-04 10:40:39 UTC

Simply renaming the latest ebuild to the 4.5.0 works like a charm here.

Comment 8 Sergey Popov (RETIRED) gentoo-dev

2022-04-05 10:23:32 UTC

Arches, please test and mark stable:
=dev-db/sqlcipher-4.5.1

Thanks in advance

Comment 9 John Helmert III archtester

2022-04-06 13:54:01 UTC

No, stabilizations are not done in security bugs anymore, as announced here:

https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557

Please also remember to use Bug: tags to associate the security bump to the security bug.

Comment 10 John Helmert III archtester

2022-04-09 13:52:16 UTC

Please cleanup.

Comment 11 Larry the Git Cow gentoo-dev

2022-04-11 07:01:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff28e488512db2d448a46dd2144a846399904cc7

commit ff28e488512db2d448a46dd2144a846399904cc7
Author:     Sergey Popov <pinkbyte@gentoo.org>
AuthorDate: 2022-04-11 07:00:16 +0000
Commit:     Sergey Popov <pinkbyte@gentoo.org>
CommitDate: 2022-04-11 07:00:29 +0000

    dev-dv/sqlcipher: drop old vulnerable version
    
    Bug: https://bugs.gentoo.org/760690
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Sergey Popov <pinkbyte@gentoo.org>

 dev-db/sqlcipher/Manifest               |  1 -
 dev-db/sqlcipher/sqlcipher-4.0.1.ebuild | 70 ---------------------------------
 2 files changed, 71 deletions(-)