Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 732604 - <dev-db/sqlite-3.32.3-r1: Multiple vulnerabilities
Summary: <dev-db/sqlite-3.32.3-r1: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-14 20:04 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2020-09-15 18:34 UTC (History)
1 user (show)

See Also:
Package list:
dev-db/sqlite-3.32.3-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2020-07-14 20:04:53 UTC
Commit (trunk):       https://sqlite.org/src/info/ccff8cb8267d4c56
                      2020-07-09 21:29:34
                      "Fix handling of another corrupt database case in fts3."

Commit (trunk):       https://sqlite.org/src/info/5124732370fd53c9
                      2020-07-10 11:12:36
                      "Fix a broken assert() in fts3 that could fail when handling corrupt records."

Commit (trunk):       https://sqlite.org/src/info/30735432bc33cb95
                      2020-07-11 16:42:28
                      "Improved detection of a corrupt database schema. Fix for a problem discovered by dbsqlfuzz."

Commit (trunk):       https://sqlite.org/src/info/1bd18ca35bdbf303
                      2020-07-11 16:45:20
                      "Add second test case for the improvement in [30735432]."

Commit (trunk):       https://sqlite.org/src/info/49da8bdce17ced91
                      2020-07-13 11:06:30
                      "Fix an integer overflow bug in fts5 triggered by a corrupt record."

Commit (trunk):       https://sqlite.org/src/info/f25a56c26e28abd4
                      2020-07-14 12:40:53
                      "Early detection of freelist size corruption in incremental vacuum."
Comment 1 Arfrever Frehtes Taifersar Arahesis 2020-07-26 21:18:52 UTC
> Commit (trunk):       https://sqlite.org/src/info/28515bbbae4fbc26
>                       2020-07-23 13:45:47
>                       "Fix another case where a corrupt record could cause an assert() to fail in fts3."

> Commit (trunk):       https://sqlite.org/src/info/892e9191dc8f8056
>                       2020-07-24 09:14:44
>                       "Fix pointer aliasing problem in the in-memory journal code. Ref: forum post d44eb2fc44"

> Commit (trunk):       https://sqlite.org/src/info/270ac1a0f232d755
>                       2020-07-24 09:17:42
>                       "Fix other potentiall pointer aliasing problems associated with subclassing of the sqlite3_file object for various VFS implementations."
Comment 2 Arfrever Frehtes Taifersar Arahesis 2020-07-26 22:38:52 UTC
> Commit (trunk):       https://sqlite.org/src/info/d48af4d2cfff3d5f
>                       2020-06-08 14:43:41
>                       "Fix a case where a corrupted fts3 record could cause an assert() failure, or spurious SQLITE_NOMEM error in builds with assert() disabled."

> Commit (trunk):       https://sqlite.org/src/info/14eed318aa9e6e16
>                       2020-07-21 18:25:19
>                       "Add the sqlite3Int64ToText() routine and use it to convert integers to text, as it is much faster than the generic text formatter."

> Commit (trunk):       https://sqlite.org/src/info/9679c0c61131f0e9
>                       2020-07-21 18:36:06
>                       "Work-around for GCC bug 96270."
>                       https://sqlite.org/forum/forumpost/54e1773c0c
Comment 3 Larry the Git Cow gentoo-dev 2020-07-29 18:46:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd5e959e06f605b7caa81d8f44ae7b83f98440fb

commit dd5e959e06f605b7caa81d8f44ae7b83f98440fb
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2020-07-27 00:00:00 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-07-29 18:46:04 +0000

    dev-db/sqlite: Security fixes and other fixes (3.32.3-r1).
    
    Bug: https://bugs.gentoo.org/732604
    Closes: https://bugs.gentoo.org/685874
    Closes: https://bugs.gentoo.org/733092
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../sqlite/files/sqlite-3.32.3-backports_1.patch   | 361 +++++++++++++++++++++
 .../sqlite/files/sqlite-3.32.3-backports_2.patch   | 302 +++++++++++++++++
 .../sqlite/files/sqlite-3.32.3-backports_3.patch   | 220 +++++++++++++
 dev-db/sqlite/sqlite-3.32.3-r1.ebuild              | 339 +++++++++++++++++++
 4 files changed, 1222 insertions(+)
Comment 4 Sam James gentoo-dev Security 2020-07-29 18:49:16 UTC
Let us know when ready to stable.

Nothing here looks critical from a security perspective, although there's some important integrity fixes it seems. Let me know if you disagree, of course.
Comment 5 Sam James gentoo-dev Security 2020-07-29 23:30:04 UTC
arm stable
Comment 6 Sam James gentoo-dev Security 2020-07-29 23:32:10 UTC
sparc stable
Comment 7 Sam James gentoo-dev Security 2020-07-30 00:22:10 UTC
arm64 stable
Comment 8 Sam James gentoo-dev Security 2020-07-30 02:06:41 UTC
s390 stable
Comment 9 Rolf Eike Beer 2020-07-30 21:02:31 UTC
hppa stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-08-05 14:02:59 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-08-05 14:04:41 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-09-15 18:34:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=022a6609aaf851c09482de563a692407b4a4a472

commit 022a6609aaf851c09482de563a692407b4a4a472
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2020-09-14 11:00:00 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-09-15 18:33:39 +0000

    dev-db/sqlite: Delete old version (3.32.3).
    
    Bug: https://bugs.gentoo.org/732604
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../files/sqlite-3.32.3-security_fixes.patch       | 146 ---------
 dev-db/sqlite/sqlite-3.32.3.ebuild                 | 340 ---------------------
 2 files changed, 486 deletions(-)