Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 685838 (CVE-2019-5018)

Summary: <dev-db/sqlite-3.28.0: use-after-free in window function leading to remote code execution (CVE-2019-5018)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: arfrever.fta
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
Whiteboard: A2 [glsa+ cve]
Package list:
dev-db/sqlite-3.28.0
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 684840    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 14:20:40 UTC 
CVE-2019-5018 (https://nvd.nist.gov/vuln/detail/CVE-2019-5018):
  An exploitable use after free vulnerability exists in the window function
  functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a
  use after free vulnerability, potentially resulting in remote code
  execution. An attacker can send a malicious SQL command to trigger this
  vulnerability.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-13 16:57:50 UTC 
amd64 stable
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-05-13 22:01:18 UTC 
arm64 stable
Comment 3 Rolf Eike Beer archtester 2019-05-14 08:30:28 UTC 
sparc stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-16 23:58:19 UTC 
x86 stable
Comment 5 Rolf Eike Beer archtester 2019-05-18 19:24:03 UTC 
hppa stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-23 13:17:44 UTC 
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:03:09 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-06-04 18:52:33 UTC 
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-06-05 07:14:02 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-05 07:31:06 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-06 06:49:04 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Arfrever Frehtes Taifersar Arahesis 2019-06-08 02:23:23 UTC 
Let's give one or two weeks for M68K and SH.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-08-03 16:39:00 UTC 
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #12)
> Let's give one or two weeks for M68K and SH.

They are not stable arches.  Can we move on now?
Comment 14 Larry the Git Cow gentoo-dev 2019-08-09 18:39:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b4ecf2fe8842b5ee546ab56f81bbb470cbe91a8

commit 9b4ecf2fe8842b5ee546ab56f81bbb470cbe91a8
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2019-08-09 17:09:52 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-08-09 18:39:00 +0000

    dev-db/sqlite: Delete old version (3.27.2).
    
    Bug: https://bugs.gentoo.org/685838
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 dev-db/sqlite/Manifest                             |   3 -
 .../files/sqlite-3.27.0-full_archive-build.patch   | 461 ---------------------
 .../files/sqlite-3.27.2-full_archive-tests.patch   |  36 --
 dev-db/sqlite/sqlite-3.27.2.ebuild                 | 328 ---------------
 4 files changed, 828 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:46:54 UTC 
This issue was resolved and addressed in
 GLSA 201908-09 at https://security.gentoo.org/glsa/201908-09
by GLSA coordinator Aaron Bauman (b-man).