Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 684840 (CVE-2019-9936, CVE-2019-9937)

Summary: <dev-db/sqlite-3.28.0: Multiple Vulnerabilities (CVE-2019-{9936,9937})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arfrever.fta
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 685838    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:19:21 UTC
CVE-2019-9937 (https://nvd.nist.gov/vuln/detail/CVE-2019-9937):
  In SQLite 3.27.2, interleaving reads and writes in a single transaction with
  an fts5 virtual table will lead to a NULL Pointer Dereference in
  fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and
  ext/fts5/fts5_index.c.

CVE-2019-9936 (https://nvd.nist.gov/vuln/detail/CVE-2019-9936):
  In SQLite 3.27.2, running fts5 prefix queries inside a transaction could
  trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c,
  which may lead to an information leak. This is related to
  ext/fts5/fts5_hash.c.
Comment 1 D'juan McDonald (domhnall) 2019-05-01 01:29:19 UTC
Upstream fixes: 


CVE-2019-9937
https://sqlite.org/src/info/45c73deb440496e8

CVE-2019-9936
https://sqlite.org/src/info/b3fa58dd7403dbd4
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-05-02 02:54:29 UTC
I am aware of release of SQLite 3.28.0, but there are several problems:
- Test failures with USE="icu", now fixed:
  https://marc.info/?t=155623583500001&r=1&w=2
- Segmentation fault triggered by test suite (on x86_64, seemingly not on x86_32), investigation ongoing
- Some incompatible change in behavior of fts3_tokenizer() function, potentially breaking some reverse dependencies
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-05-05 20:29:02 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #2)
> - Segmentation fault triggered by test suite

This problem is now fixed:
https://marc.info/?t=155678524000002&r=1&w=2
https://sqlite.org/src/info/c509d8a8aebe0da4
Comment 4 Arfrever Frehtes Taifersar Arahesis 2019-05-05 20:37:05 UTC
dev-db/sqlite-3.28.0 is now in the tree.

Security fixes made after release of 3.28.0 have been backported:
  https://sqlite.org/src/info/b2ce5ed175cb5029
  2019-04-22 11:47:40
  "Fix an assert() that may be false for corrupt databases."

  https://sqlite.org/src/info/6e4a5f22811bcd14
  2019-04-24 15:13:02
  "Fix an error in fts3_write.c allowing a corrupt database to cause a crash."

  https://sqlite.org/src/info/516ca8945150bdc1
  2019-04-24 15:57:25
  "Fix a problem in fts5 where a corrupt position list could lead to a buffer overwrite."

  https://sqlite.org/src/info/e1724f1d618cfbcf
  2019-04-24 16:13:52
  "Fix another instance in fts3 where a corrupt record can cause a buffer overflow."

  https://sqlite.org/src/info/c621fc668c6538f9
  2019-04-29 11:27:58
  "Fix a stack overflow that could occur when renaming a table that has a trigger containing a window function invocation that itself contains a specific syntax error."

  https://sqlite.org/src/info/c509d8a8aebe0da4
  2019-05-02 15:56:39
  "Earlier detection of a database corruption case in balance_nonroot(), to prevent a possible use of an uninitialized variable."

  https://sqlite.org/src/info/a9b90aa12eecdd9f
  2019-05-03 18:50:24
  "Fix a memory-leak/segfault caused by using OP_OpenDup and OP_OpenEphemeral on the same VM cursor."


(Waiting some time for sufficient testing of reverse dependencies before starting stabilization.)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-13 14:25:47 UTC
Stabilization will happen in bug 685838.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:46:46 UTC
This issue was resolved and addressed in
 GLSA 201908-09 at https://security.gentoo.org/glsa/201908-09
by GLSA coordinator Aaron Bauman (b-man).