Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 697678 (CVE-2019-16168, CVE-2019-5827)

Summary: <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})
Product: Gentoo Security Reporter: Vaibhav Rustagi <vaibhavrustagi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arfrever.fta, floppym, perfect007gentleman, sam
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
dev-db/sqlite-3.30.1
Runtime testing required: ---

Description Vaibhav Rustagi 2019-10-14 00:22:00 UTC
A new version (2.30) of sqlite is available. Uprev dev-db/sqlite package to version to 2.30.0.

A pull request for version bump of dev-db/sqlite is available at: https://github.com/gentoo/gentoo/pull/13254#issue-326962517


Reproducible: Always



Expected Results:  
A new ebuild version (2.30.0) of dev-db/sqlite should be available at gentoo.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-12-03 19:36:11 UTC
Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Comment 2 Jory A. Pratt gentoo-dev 2019-12-03 19:52:06 UTC
(In reply to Thomas Deutschmann from comment #1)
> Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> corruption via a crafted HTML page.

we should go with 2.30.1 for the update as it was released way back in october.
Comment 3 Jory A. Pratt gentoo-dev 2019-12-03 19:52:56 UTC
(In reply to Jory A. Pratt from comment #2)
> (In reply to Thomas Deutschmann from comment #1)
> > Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> > prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> > corruption via a crafted HTML page.
> 
> we should go with 2.30.1 for the update as it was released way back in
> october.

err 3.30.1
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-09 13:10:12 UTC
ppc64 stable
Comment 5 Rolf Eike Beer 2019-12-09 20:48:38 UTC
hppa/sparc stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-09 21:31:36 UTC
arm64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-10 08:42:20 UTC
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-10 08:47:40 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 08:55:55 UTC
ppc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:01:09 UTC
arm stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:34:43 UTC
*** Bug 711194 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-03-15 01:56:42 UTC
Superseded by bug 711526.

Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 02:04:06 UTC
This issue was resolved and addressed in
 GLSA 202003-16 at https://security.gentoo.org/glsa/202003-16
by GLSA coordinator Thomas Deutschmann (whissi).