Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 650952 (CVE-2018-8740)

Summary: <dev-db/sqlite-3.23.1: Denial of Service vulnerability through corrupted schemas
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arfrever.fta, che
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
dev-db/sqlite-3.23.1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-20 01:40:09 UTC
CVE-2018-8740 (https://nvd.nist.gov/vuln/detail/CVE-2018-8740):
  In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE
  TABLE AS statement could cause a NULL pointer dereference, related to
  build.c and prepare.c.


@Maintainers please advice best way to go.

Thank you
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-20 01:42:09 UTC
*** Bug 650950 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2018-04-15 18:20:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be543fafedd32992806bc47f634f8c8b7af488fe

commit be543fafedd32992806bc47f634f8c8b7af488fe
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2018-04-15 18:20:32 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2018-04-15 18:20:49 +0000

    dev-db/sqlite: version bump.
    
    Bug: https://bugs.gentoo.org/650952
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-db/sqlite/Manifest             |   3 +
 dev-db/sqlite/sqlite-3.23.1.ebuild | 307 +++++++++++++++++++++++++++++++++++++
 2 files changed, 310 insertions(+)}
Comment 3 Patrice Clement gentoo-dev 2018-04-15 18:24:51 UTC
Hi there

As per https://www.securityfocus.com/bid/103466, versions below 3.23.1 are affected by this CVE. I've bumped the ebuild.

Arfrever can you double check the ebuild I've just commited? If you're ok with it, please CC arches in to this bug for stabilisation to proceed.
Comment 4 Arfrever Frehtes Taifersar Arahesis 2018-04-15 19:06:34 UTC
I have not forgotten about this bug and I have been working on ebuild and updated patch(es).

(In reply to Patrice Clement from comment #3)

*-build.patch are always needed and must not be dropped.
Revert this commit immediately.
Comment 5 Patrice Clement gentoo-dev 2018-04-15 19:32:58 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4)
> I have not forgotten about this bug and I have been working on ebuild and
> updated patch(es).
> 

Why haven't you posted a comment on this bug then?
Comment 6 Larry the Git Cow gentoo-dev 2018-04-15 19:35:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01db7ff78e07680699a775d201159c527e2a671d

commit 01db7ff78e07680699a775d201159c527e2a671d
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2018-04-15 19:34:18 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2018-04-15 19:34:56 +0000

    dev-db/sqlite: remove version 3.23.1.
    
    Bug: https://bugs.gentoo.org/650952
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-db/sqlite/Manifest             |   3 -
 dev-db/sqlite/sqlite-3.23.1.ebuild | 307 -------------------------------------
 2 files changed, 310 deletions(-)}
Comment 7 Patrice Clement gentoo-dev 2018-04-15 19:40:42 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4)
> *-build.patch are always needed and must not be dropped.
> Revert this commit immediately.

Done.

Sorry but your comment is a bit too easy. This is a major CVE that affects all current sqlite versions in the tree. As you know, sqlite is a critical building-block for other software across the tree. We can't afford a one month timeout until maintainers wake up and decide to put a patch together. Get it fixed ASAP.
Comment 8 Arfrever Frehtes Taifersar Arahesis 2018-04-15 22:40:37 UTC
SQLite 3.23.1 was released just 4 days ago.
SQLite 3.23.0 was released several days earlier, and as expected, it had several regressions.
My updated ebuild should be ready tomorrow.
Comment 9 Patrice Clement gentoo-dev 2018-04-16 19:26:10 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #8)
> My updated ebuild should be ready tomorrow.

Ping.
Comment 10 Arfrever Frehtes Taifersar Arahesis 2018-04-16 19:55:32 UTC
Ebuild was already committed.
Comment 11 Arfrever Frehtes Taifersar Arahesis 2018-04-16 19:56:54 UTC
Stabilize dev-db/sqlite-3.23.1.
Comment 12 Mart Raudsepp gentoo-dev 2018-04-21 21:33:15 UTC
Still not happy about bug 610666 (and somewhat bug 653450); but as this is a security stabilization (unlike sqlite-3.22.0 before): arm64 stable

PS: other arches haven't done anything as package list is empty and sanity-check therefore isn't done by stable-bot.
Comment 13 Larry the Git Cow gentoo-dev 2018-04-26 20:53:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc87fbd48db5794ba11ee4c62bdf2f2c6c327b4c

commit fc87fbd48db5794ba11ee4c62bdf2f2c6c327b4c
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-26 16:39:54 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-26 20:52:28 +0000

    dev-db/sqlite: stable 3.23.1 for sparc
    
    Bug: https://bugs.gentoo.org/650952
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/sqlite/sqlite-3.23.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 14 Larry the Git Cow gentoo-dev 2018-04-27 22:50:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82accf4780e2ad9a5ee75ef6b0ffea7f3827f02e

commit 82accf4780e2ad9a5ee75ef6b0ffea7f3827f02e
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-27 22:50:30 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-27 22:50:38 +0000

    dev-db/sqlite: stable 3.23.1 for ia64, bug #650952
    
    Bug: https://bugs.gentoo.org/650952
    Package-Manager: Portage-2.3.31, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 dev-db/sqlite/sqlite-3.23.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-28 20:12:03 UTC
arm stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2018-05-14 12:40:10 UTC
Stable on alpha.
Comment 17 Matt Turner gentoo-dev 2018-05-25 03:47:15 UTC
ppc64 stable
Comment 18 Matt Turner gentoo-dev 2018-05-25 04:19:53 UTC
ppc stable
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2018-05-25 12:45:14 UTC
Final arches are exp.

GLSA Vote: No

@maintainer(s), please cleanup.
Comment 20 Larry the Git Cow gentoo-dev 2018-05-25 17:25:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68ddcc90b13fe5415a63154d0eba7fdc455fe60b

commit 68ddcc90b13fe5415a63154d0eba7fdc455fe60b
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-05-25 17:25:02 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-05-25 17:25:02 +0000

    dev-db/sqlite: Drop old wrt bug #650952 (long delay)
    
    Bug: https://bugs.gentoo.org/650952
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-db/sqlite/Manifest                |   9 -
 dev-db/sqlite/sqlite-3.20.1-r1.ebuild | 275 ------------------------------
 dev-db/sqlite/sqlite-3.21.0.ebuild    | 284 -------------------------------
 dev-db/sqlite/sqlite-3.22.0.ebuild    | 303 ----------------------------------
 4 files changed, 871 deletions(-)
Comment 21 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-25 17:26:50 UTC
m68k/s390/ah stable, hppa lost its stable