From ${URL} : It is possible to craft SQLite databases that, when opened by an application expecting a specific SQL schema, could cause arbitrary code execution. The issue is in the handling of the fts3_tokenizer function: https://www.sqlite.org/mark/fts3.html?FTS+does+not&If+the+fts3*callback#mark Yum might be affected, but due to the use of HTTPS in RHEL, and in Fedora, the digest from the mirror list service should protect clients. The issue does not appear to be fixed upstream yet: https://www.sqlite.org/src/finfo?name=ext/fts3/fts3_tokenizer.c&ci=trunk External References: http://zerodayinitiative.com/advisories/ZDI-15-570/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From documentation of SQLite 3.11.0 (released on 2016-02-15): releaselog/3_11_0.html : "Backwards Compatibility: Because of continuing security concerns, the two-argument version of of the seldom-used and little-known fts3_tokenizer() function is disabled unless SQLite is compiled with the SQLITE_ENABLE_FTS3_TOKENIZER." fts3.html#f3tknzr : "As of SQLite version 3.11.0, the second form of the fts3_tokenizer() function is only available if the library is compiled with the -DSQLITE_ENABLE_FTS3_TOKENIZER compiler switch. In earlier versions it was always available. SECURITY WARNING: If a version of the fts3/4 extension that supports the second form of fts3_tokenizer() is deployed in an environment where potentially malicious users may execute arbitrary SQL, they should be prevented from invoking the fts3_tokenizer() function, possibly using the authorization callback. SECURITY UPDATE for Version 3.11.0: Because of continuing concern, the two-argument version of fts3_tokenizer() is disabled unless SQLite is compiled with SQLITE_ENABLE_FTS3_TOKENIZER." ================================================ From documentation of SQLite 3.12.0 (released probably on 2016-04-*): releaselog/3_12_0.html : "New Features: Added the SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER option to sqlite3_db_config() which allows the two-argument version of the fts3_tokenizer() SQL function to be enabled or disabled at run-time." fts3.html#f3tknzr : "Because of security concerns, SQLite version 3.11.0 only enabled the second form of the fts3_tokenizer() function when the library is compiled with the -DSQLITE_ENABLE_FTS3_TOKENIZER option. In earlier versions it was always available. Beginning with SQLite version 3.12.0, the second form of fts3_tokenizer() can also be activated at run-time by calling sqlite3_db_config(db,SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER,1,0). SECURITY WARNING: If a version of the fts3/4 extension that supports the two-argument form of fts3_tokenizer() is deployed in an environment where malicious users can run arbitrary SQL, then those users should be prevented from invoking the two-argument fts3_tokenizer() function. This can be done using the authorization callback, or by disabling the two-argument fts3_tokenizer() interface using a call to sqlite3_db_config(db,SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER,0,0)." ================================================ Support for SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER option backported to SQLite 3.11.0 in Gentoo. -DSQLITE_ENABLE_FTS3_TOKENIZER not passed to compiler by SQLite ebuild, so support for custom FTS3/FTS4 tokenizers disabled at run time by default. If any package is using custom FTS3/FTS4 tokenizers, then it should be modified to enable this feature at run time: #ifdef SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER, 1, 0); #endif
Stabilize dev-db/sqlite-3.11.0.
Other security-related fixes in SQLite 3.11.0: https://sqlite.org/src/info/facbc424e5550611 2016-02-11 18:08:38 "Avoid a buffer overread when reading a corrupt fts5 structure record." https://sqlite.org/src/info/130580207ab5cee7 2016-02-12 17:56:27 "Fix a fairly obscure buffer overread in fts5." https://sqlite.org/src/info/a049fbbde5da2e43 2016-02-12 18:48:09 "Fix a potential buffer overread provoked by invalid utf-8 in fts5."
From documentation of SQLite 3.11.1 (released on 2016-03-03): releaselog/3_11_1.html : "Fix a buffer overread that might occur if FTS5 is used to query a corrupt database file." https://sqlite.org/src/info/c9a30e117f2c6c9e 2016-02-29 17:34:16 "Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread."
(Stabilization of dev-db/sqlite-3.11.0 withdrawn.) Stabilize dev-db/sqlite-3.11.1.
Stable for PPC64.
amd64 stable
Stable for HPPA.
arm stable
x86 stable
Stable on alpha.
ppc stable
sparc stable
ia64 stable
Stabilized on arm64 by Steev Klimaszewski <steev@gentoo.org>: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=deaf1729beb9730001330f4eb6bbe75b0151bcbd
dev-db/sqlite-3.12.0 is now being stabilized in bug #578940.
New GLSA created.
This issue was resolved and addressed in GLSA 201612-21 at https://security.gentoo.org/glsa/201612-21 by GLSA coordinator Aaron Bauman (b-man).
