Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684840 (CVE-2019-9936, CVE-2019-9937) - <dev-db/sqlite-3.28.0: Multiple Vulnerabilities (CVE-2019-{9936,9937})
Summary: <dev-db/sqlite-3.28.0: Multiple Vulnerabilities (CVE-2019-{9936,9937})
Alias: CVE-2019-9936, CVE-2019-9937
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on: CVE-2019-5018
  Show dependency tree
Reported: 2019-05-01 00:19 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-15 15:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:19:21 UTC
CVE-2019-9937 (
  In SQLite 3.27.2, interleaving reads and writes in a single transaction with
  an fts5 virtual table will lead to a NULL Pointer Dereference in
  fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and

CVE-2019-9936 (
  In SQLite 3.27.2, running fts5 prefix queries inside a transaction could
  trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c,
  which may lead to an information leak. This is related to
Comment 1 D'juan McDonald (domhnall) 2019-05-01 01:29:19 UTC
Upstream fixes: 


Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-05-02 02:54:29 UTC
I am aware of release of SQLite 3.28.0, but there are several problems:
- Test failures with USE="icu", now fixed:
- Segmentation fault triggered by test suite (on x86_64, seemingly not on x86_32), investigation ongoing
- Some incompatible change in behavior of fts3_tokenizer() function, potentially breaking some reverse dependencies
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-05-05 20:29:02 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #2)
> - Segmentation fault triggered by test suite

This problem is now fixed:
Comment 4 Arfrever Frehtes Taifersar Arahesis 2019-05-05 20:37:05 UTC
dev-db/sqlite-3.28.0 is now in the tree.

Security fixes made after release of 3.28.0 have been backported:
  2019-04-22 11:47:40
  "Fix an assert() that may be false for corrupt databases."
  2019-04-24 15:13:02
  "Fix an error in fts3_write.c allowing a corrupt database to cause a crash."
  2019-04-24 15:57:25
  "Fix a problem in fts5 where a corrupt position list could lead to a buffer overwrite."
  2019-04-24 16:13:52
  "Fix another instance in fts3 where a corrupt record can cause a buffer overflow."
  2019-04-29 11:27:58
  "Fix a stack overflow that could occur when renaming a table that has a trigger containing a window function invocation that itself contains a specific syntax error."
  2019-05-02 15:56:39
  "Earlier detection of a database corruption case in balance_nonroot(), to prevent a possible use of an uninitialized variable."
  2019-05-03 18:50:24
  "Fix a memory-leak/segfault caused by using OP_OpenDup and OP_OpenEphemeral on the same VM cursor."

(Waiting some time for sufficient testing of reverse dependencies before starting stabilization.)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-13 14:25:47 UTC
Stabilization will happen in bug 685838.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:46:46 UTC
This issue was resolved and addressed in
 GLSA 201908-09 at
by GLSA coordinator Aaron Bauman (b-man).