Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 697678 (CVE-2019-16168, CVE-2019-5827) - <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})
Summary: <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})
Status: RESOLVED FIXED
Alias: CVE-2019-16168, CVE-2019-5827
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
: 711194 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-14 00:22 UTC by Vaibhav Rustagi
Modified: 2020-03-15 02:04 UTC (History)
4 users (show)

See Also:
Package list:
dev-db/sqlite-3.30.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vaibhav Rustagi 2019-10-14 00:22:00 UTC
A new version (2.30) of sqlite is available. Uprev dev-db/sqlite package to version to 2.30.0.

A pull request for version bump of dev-db/sqlite is available at: https://github.com/gentoo/gentoo/pull/13254#issue-326962517


Reproducible: Always



Expected Results:  
A new ebuild version (2.30.0) of dev-db/sqlite should be available at gentoo.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-12-03 19:36:11 UTC
Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Comment 2 Jory A. Pratt gentoo-dev 2019-12-03 19:52:06 UTC
(In reply to Thomas Deutschmann from comment #1)
> Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> corruption via a crafted HTML page.

we should go with 2.30.1 for the update as it was released way back in october.
Comment 3 Jory A. Pratt gentoo-dev 2019-12-03 19:52:56 UTC
(In reply to Jory A. Pratt from comment #2)
> (In reply to Thomas Deutschmann from comment #1)
> > Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> > prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> > corruption via a crafted HTML page.
> 
> we should go with 2.30.1 for the update as it was released way back in
> october.

err 3.30.1
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-09 13:10:12 UTC
ppc64 stable
Comment 5 Rolf Eike Beer 2019-12-09 20:48:38 UTC
hppa/sparc stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-09 21:31:36 UTC
arm64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-10 08:42:20 UTC
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-10 08:47:40 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 08:55:55 UTC
ppc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:01:09 UTC
arm stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:34:43 UTC
*** Bug 711194 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-03-15 01:56:42 UTC
Superseded by bug 711526.

Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 02:04:06 UTC
This issue was resolved and addressed in
 GLSA 202003-16 at https://security.gentoo.org/glsa/202003-16
by GLSA coordinator Thomas Deutschmann (whissi).