Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 672942 (CVE-2018-20346) - <dev-db/sqlite-3.25.3: remote code execution "Magellan" (CVE-2018-20346)
Summary: <dev-db/sqlite-3.25.3: remote code execution "Magellan" (CVE-2018-20346)
Status: RESOLVED FIXED
Alias: CVE-2018-20346
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blade.tencent.com/magellan/in...
Whiteboard: A2 [glsa+ cve]
Keywords:
: 673154 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-12-11 18:58 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2019-04-22 23:32 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/sqlite-3.25.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2018-12-11 18:58:48 UTC
Stabilize dev-db/sqlite-3.25.3.
Comment 1 Sergei Trofimovich gentoo-dev 2018-12-11 23:49:43 UTC
ia64/ppc/ppc64 stable
Comment 2 Rolf Eike Beer 2018-12-12 20:01:02 UTC
sparc stable
Comment 3 Arfrever Frehtes Taifersar Arahesis 2018-12-12 23:29:27 UTC
HPPA stable (by Jeroen Roovers).
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-12-17 10:59:21 UTC
Converting bug to security bug. =dev-db/sqlite-3.25.3 closes a remote code execution vulnerability named "Magellan".
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-12-18 16:46:58 UTC
*** Bug 673154 has been marked as a duplicate of this bug. ***
Comment 6 Christian 2018-12-18 20:16:58 UTC
I think 3.25.3 have no Fix for that Magellan Bug. 

Tencent and a German Newspaper wrote that Version 3.26.0 is secure.

>If your product uses SQLite, please update to 3.26.0 

Because of that, i think 3.25.3 is still vulnerable.

Release Log of 3.25.3 was released at 5. November and list some fixes. I think that was other minor issues. 
See https://www.sqlite.org/releaselog/3_25_3.html

But i did not compare the patch or source Code or if you try to fix the issue in 3.25.3.

Stay fine Gentoo Users and Happy Holidays!
Comment 7 Christian 2018-12-18 20:33:10 UTC
Sorry for spam that Bug.

It seems that 3.25.3 fix the Crash for sqlite but still allow to corrupt the Database.

And 3.26.0 introduce Shadow-Tables and a Check for Injection to avoid a corrupt Database.

https://twitter.com/11rcombs/status/1073794230236209152

Google fix there Browsers with an Update to Version 3.25.3, too. This had confused me.
Comment 8 Arfrever Frehtes Taifersar Arahesis 2018-12-19 08:37:02 UTC
dev-db/sqlite-3.26.0 will be added, but security fix is present in dev-db/sqlite-3.25.3.

In https://sqlite.org/releaselog/3_25_3.html relevant fix is described as:
    3. Strengthen defenses against deliberately corrupted database files.

Relevant commit on branch "branch-3.25" (https://sqlite.org/src/timeline?r=branch-3.25) is:
    Add extra defenses against strategically corrupt databases to fts3/4.
    https://sqlite.org/src/info/940f2adc8541a838
Fix also has been hodiernally backported in 4 other branches: "branch-3.9", "branch-3.18", "branch-3.19", "branch-3.22".


In https://sqlite.org/releaselog/3_26_0.html relevant new features are described as:
    3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
    4. Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled."
So new explicit call to sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL) in applications wanting additional protection will be needed.
Comment 9 Matt Turner gentoo-dev 2018-12-23 03:18:54 UTC
alpha stable
Comment 10 Markus Meier gentoo-dev 2019-01-02 12:17:19 UTC
arm stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-04 23:09:20 UTC
s390 stable
Comment 12 Mart Raudsepp gentoo-dev 2019-01-07 18:48:57 UTC
arm64 stable
Comment 13 Larry the Git Cow gentoo-dev 2019-02-27 22:35:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1de0c0836625f3a11d173ed910cefd6ebc1d8e56

commit 1de0c0836625f3a11d173ed910cefd6ebc1d8e56
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2019-02-27 22:09:21 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-02-27 22:35:19 +0000

    dev-db/sqlite: Delete old versions (<3.25.3).
    
    Bug: https://bugs.gentoo.org/672942
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 dev-db/sqlite/Manifest                             |   9 -
 .../sqlite-3.21.0-nonfull_archive-build.patch      |  14 -
 .../files/sqlite-3.23.0-full_archive-build.patch   | 407 ---------------------
 ...to_table-valued_functions_within_triggers.patch |  24 --
 .../files/sqlite-3.23.1-full_archive-tests.patch   | 224 ------------
 ...to_table-valued_functions_within_triggers.patch |  14 -
 ...ll_archive-archive_command_paths_handling.patch |  14 -
 .../files/sqlite-3.24.0-full_archive-build.patch   | 407 ---------------------
 ...ll_archive-archive_command_paths_handling.patch |  14 -
 ...low_window_functions_in_recursive_queries.patch |  49 ---
 ...low_window_functions_in_recursive_queries.patch |  19 -
 dev-db/sqlite/sqlite-3.23.1.ebuild                 | 309 ----------------
 dev-db/sqlite/sqlite-3.24.0.ebuild                 | 308 ----------------
 dev-db/sqlite/sqlite-3.25.2.ebuild                 | 322 ----------------
 14 files changed, 2134 deletions(-)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2019-04-22 23:32:50 UTC
This issue was resolved and addressed in
 GLSA 201904-21 at https://security.gentoo.org/glsa/201904-21
by GLSA coordinator Aaron Bauman (b-man).