697678 – (CVE-2019-16168, CVE-2019-5827) <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})

Bug 697678 (CVE-2019-16168, CVE-2019-5827) - <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})

Summary: <dev-db/sqlite-3.30.1: multiple vulnerabilities (CVE-2019-{5827,16168})

Status:	RESOLVED FIXED

Alias:	CVE-2019-16168, CVE-2019-5827

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa+ cve]
Keywords:

Duplicates (1):	711194 (view as bug list)
Depends on:
Blocks:

Reported:	2019-10-14 00:22 UTC by Vaibhav Rustagi
Modified:	2020-03-15 02:04 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	dev-db/sqlite-3.30.1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vaibhav Rustagi 2019-10-14 00:22:00 UTC

A new version (2.30) of sqlite is available. Uprev dev-db/sqlite package to version to 2.30.0.

A pull request for version bump of dev-db/sqlite is available at: https://github.com/gentoo/gentoo/pull/13254#issue-326962517


Reproducible: Always



Expected Results:  
A new ebuild version (2.30.0) of dev-db/sqlite should be available at gentoo.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-12-03 19:36:11 UTC

Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Comment 2 Jory A. Pratt gentoo-dev

2019-12-03 19:52:06 UTC

(In reply to Thomas Deutschmann from comment #1)
> Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> corruption via a crafted HTML page.

we should go with 2.30.1 for the update as it was released way back in october.

Comment 3 Jory A. Pratt gentoo-dev

2019-12-03 19:52:56 UTC

(In reply to Jory A. Pratt from comment #2)
> (In reply to Thomas Deutschmann from comment #1)
> > Adding CVE-2019-5827: Integer overflow in SQLite via WebSQL in Google Chrome
> > prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap
> > corruption via a crafted HTML page.
> 
> we should go with 2.30.1 for the update as it was released way back in
> october.

err 3.30.1

Comment 4 Agostino Sarubbo gentoo-dev

2019-12-09 13:10:12 UTC

ppc64 stable

Comment 5 Rolf Eike Beer archtester

2019-12-09 20:48:38 UTC

hppa/sparc stable

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2019-12-09 21:31:36 UTC

arm64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-12-10 08:42:20 UTC

s390 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-12-10 08:47:40 UTC

ia64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-12-10 08:55:55 UTC

ppc stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-12-24 14:01:09 UTC

arm stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-02 22:34:43 UTC

*** Bug 711194 has been marked as a duplicate of this bug. ***

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 01:56:42 UTC

Superseded by bug 711526.

Added to an existing GLSA.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2020-03-15 02:04:06 UTC

This issue was resolved and addressed in
 GLSA 202003-16 at https://security.gentoo.org/glsa/202003-16
by GLSA coordinator Thomas Deutschmann (whissi).