Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 673154

Summary: <dev-db/sqlite-3.26.0: Security vulnerability / potential RCE
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: aklhfex, arfrever.fta, herrtimson, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blade.tencent.com/magellan/index_en.html
Whiteboard:
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2018-12-14 22:57:27 UTC
There's a report about a severe security vuln in sqlite before 3.26.0:
https://blade.tencent.com/magellan/index_en.html

This is unfortunately lacking any details and it sounds overhyped, but still it'd probably be good to update asap.
Comment 1 Luke-Jr 2018-12-15 17:13:25 UTC
Chromium apparently fixed it by updating their bundled copy to 3.25.3, so I suspect that is sufficient.

It's pretty serious in the Chromium use case, since it allows arbitrary websites to exploit it.

Other affected* packages (maybe should get sqlite de-bundled anyway):

- dev-qt/qtwebengine-5.11.1
- dev-perl/DBD-SQLite-1.560.0
- dev-qt/qt-creator-4.6.2
- sys-libs/db-5.3.28-r2
- dev-db/sqlcipher-3.4.2

* It's possible their /usage/ of SQLite isn't meaningfully vulnerable; I didn't check that.
Comment 2 Luke-Jr 2018-12-15 18:21:10 UTC
I'm not sure if it's safe, but Qt Creator at least *seems* to work using the system SQLite if I just delete its copy (/usr/lib64/qtcreator/libSqlite.so.4.6.2)
Comment 3 Chris Mayo 2018-12-15 19:40:40 UTC
Write-up that seems convincing here:

https://news.ycombinator.com/item?id=18686305

Including what appears to be an endorsement from Richard Hipp pointing to the page:

https://www.sqlite.org/security.html

If the write-up is to be believed then the specific fix is in 3.25.3 (currently stable for amd64 and x86), 3.26.0 includes a more generic solution that is off by default and will require applications to enable.
Comment 4 Luke-Jr 2018-12-17 18:35:23 UTC
Qt WebEngine bug tracker: https://bugreports.qt.io/browse/QTBUG-72632
Comment 5 Luke-Jr 2018-12-17 18:37:17 UTC
Qt WebEngine bug tracker: https://bugreports.qt.io/browse/QTBUG-72632
Comment 6 Thomas Deutschmann gentoo-dev 2018-12-18 16:46:57 UTC

*** This bug has been marked as a duplicate of bug 672942 ***
Comment 7 Arfrever Frehtes Taifersar Arahesis 2018-12-19 08:37:06 UTC
dev-db/sqlite-3.26.0 will be added, but security fix is present in dev-db/sqlite-3.25.3.

In https://sqlite.org/releaselog/3_25_3.html relevant fix is described as:
    3. Strengthen defenses against deliberately corrupted database files.

Relevant commit on branch "branch-3.25" (https://sqlite.org/src/timeline?r=branch-3.25) is:
    Add extra defenses against strategically corrupt databases to fts3/4.
    https://sqlite.org/src/info/940f2adc8541a838
Fix also has been hodiernally backported in 4 other branches: "branch-3.9", "branch-3.18", "branch-3.19", "branch-3.22".


In https://sqlite.org/releaselog/3_26_0.html relevant new features are described as:
    3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
    4. Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled."
So new explicit call to sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL) in applications wanting additional protection will be needed.