673154 – <dev-db/sqlite-3.26.0: Security vulnerability / potential RCE

Bug 673154 - <dev-db/sqlite-3.26.0: Security vulnerability / potential RCE

Summary: <dev-db/sqlite-3.26.0: Security vulnerability / potential RCE

Status:	RESOLVED DUPLICATE of bug 672942

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blade.tencent.com/magellan/in...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-12-14 22:57 UTC by Hanno Böck
Modified:	2018-12-19 08:37 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2018-12-14 22:57:27 UTC

There's a report about a severe security vuln in sqlite before 3.26.0:
https://blade.tencent.com/magellan/index_en.html

This is unfortunately lacking any details and it sounds overhyped, but still it'd probably be good to update asap.

Comment 1 Luke-Jr 2018-12-15 17:13:25 UTC

Chromium apparently fixed it by updating their bundled copy to 3.25.3, so I suspect that is sufficient.

It's pretty serious in the Chromium use case, since it allows arbitrary websites to exploit it.

Other affected* packages (maybe should get sqlite de-bundled anyway):

- dev-qt/qtwebengine-5.11.1
- dev-perl/DBD-SQLite-1.560.0
- dev-qt/qt-creator-4.6.2
- sys-libs/db-5.3.28-r2
- dev-db/sqlcipher-3.4.2

* It's possible their /usage/ of SQLite isn't meaningfully vulnerable; I didn't check that.

Comment 2 Luke-Jr 2018-12-15 18:21:10 UTC

I'm not sure if it's safe, but Qt Creator at least *seems* to work using the system SQLite if I just delete its copy (/usr/lib64/qtcreator/libSqlite.so.4.6.2)

Comment 3 Chris Mayo 2018-12-15 19:40:40 UTC

Write-up that seems convincing here:

https://news.ycombinator.com/item?id=18686305

Including what appears to be an endorsement from Richard Hipp pointing to the page:

https://www.sqlite.org/security.html

If the write-up is to be believed then the specific fix is in 3.25.3 (currently stable for amd64 and x86), 3.26.0 includes a more generic solution that is off by default and will require applications to enable.

Comment 4 Luke-Jr 2018-12-17 18:35:23 UTC

Qt WebEngine bug tracker: https://bugreports.qt.io/browse/QTBUG-72632

Comment 5 Luke-Jr 2018-12-17 18:37:17 UTC

Qt WebEngine bug tracker: https://bugreports.qt.io/browse/QTBUG-72632

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-18 16:46:57 UTC


*** This bug has been marked as a duplicate of bug 672942 ***

Comment 7 Arfrever Frehtes Taifersar Arahesis 2018-12-19 08:37:06 UTC

dev-db/sqlite-3.26.0 will be added, but security fix is present in dev-db/sqlite-3.25.3.

In https://sqlite.org/releaselog/3_25_3.html relevant fix is described as:
    3. Strengthen defenses against deliberately corrupted database files.

Relevant commit on branch "branch-3.25" (https://sqlite.org/src/timeline?r=branch-3.25) is:
    Add extra defenses against strategically corrupt databases to fts3/4.
    https://sqlite.org/src/info/940f2adc8541a838
Fix also has been hodiernally backported in 4 other branches: "branch-3.9", "branch-3.18", "branch-3.19", "branch-3.22".


In https://sqlite.org/releaselog/3_26_0.html relevant new features are described as:
    3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
    4. Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled."
So new explicit call to sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL) in applications wanting additional protection will be needed.