Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716748 (CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358) - <dev-db/sqlite-3.32.3: Multiple vulnerabilities (CVE-2020-{11655,11656,13434,13435,13630,13631,13632,13871,15358})
Summary: <dev-db/sqlite-3.32.3: Multiple vulnerabilities (CVE-2020-{11655,11656,13434,...
Status: RESOLVED FIXED
Alias: CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
: 725118 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-04-09 04:12 UTC by Sam James
Modified: 2020-07-29 18:50 UTC (History)
4 users (show)

See Also:
Package list:
dev-db/sqlite-3.32.3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 04:12:46 UTC
1) CVE-2020-11655

Description:
"SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled."

Bug: https://www.sqlite.org/src/tktview?name=af4556bb5c
Patch: https://www.sqlite.org/src/info/4a302b42c7bf5e11

2) CVE-2020-11656

Description:
"In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement."

Patch: https://www.sqlite.org/src/info/d09f8c3621d5f7f8
Patch: https://www.sqlite.org/src/info/b64674919f673602
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 04:13:46 UTC
@maintainer(s), please create an appropriate ebuild with the patches used if you feel they are not too invasive. Otherwise we will wait for a new release.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 05:44:11 UTC
CVE-2019-20218 (https://nvd.nist.gov/vuln/detail/CVE-2019-20218):
  selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack
  unwinding even after a parsing error.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 05:44:34 UTC
(In reply to GLSAMaker/CVETool Bot from comment #2)
> CVE-2019-20218 (https://nvd.nist.gov/vuln/detail/CVE-2019-20218):
>   selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack
>   unwinding even after a parsing error.

Ignore this, actually.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-24 19:07:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df401c888693da5b3d295e0e0bfc15d20c88b798

commit df401c888693da5b3d295e0e0bfc15d20c88b798
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2020-05-23 10:24:31 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-05-24 19:07:23 +0000

    dev-db/sqlite: version bump to 3.32.0
    
    Closes: https://bugs.gentoo.org/724644
    Bug: https://bugs.gentoo.org/716748
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/15922

 dev-db/sqlite/Manifest             |   3 +
 dev-db/sqlite/sqlite-3.32.0.ebuild | 388 +++++++++++++++++++++++++++++++++++++
 2 files changed, 391 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 20:02:48 UTC
Let us know when ready for stable.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-27 18:41:11 UTC
* CVE-2020-13630

Description:
"ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature."

* CVE-2020-13631

Description:
"SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c."

* CVE-2020-13632

Description:
"ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query."
Comment 7 Arfrever Frehtes Taifersar Arahesis 2020-06-03 05:04:17 UTC
* CVE-2020-13434

Description:
"SQLite >=3.8.3 <3.32.1 has an integer overflow in sqlite3_str_vappendf in printf.c."

Report: https://sqlite.org/src/info/23439ea582241138
Commit: https://sqlite.org/src/info/d08d3405878d394e

* CVE-2020-13435

Description:
"SQLite <3.32.1 has a segmentation fault in sqlite3ExprCodeTarget in expr.c."

Report: https://sqlite.org/src/info/7a5279a25c57adf1
Commit: https://sqlite.org/src/info/572105de1d44bca4
Comment 8 Arfrever Frehtes Taifersar Arahesis 2020-06-03 05:05:09 UTC
*** Bug 725118 has been marked as a duplicate of this bug. ***
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-06 17:10:25 UTC
* CVE-2020-13871

Description:
"SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late."
Comment 10 Arfrever Frehtes Taifersar Arahesis 2020-06-06 21:00:05 UTC
* CVE-2020-13871

Report: https://sqlite.org/src/info/c8d3b9f0a750a529
        "Use after free in resetAccumulator."
Commit (trunk): https://sqlite.org/src/info/0b42a2277e5bf527
Commit (branch-3.32): https://sqlite.org/src/info/79eff1d0383179c4
Comment 11 Arfrever Frehtes Taifersar Arahesis 2020-06-06 21:13:31 UTC
Other fixes in window-function parse-tree rewriting:

Commit (trunk): https://sqlite.org/src/info/c4072267dc870830

Commit (trunk): https://sqlite.org/src/info/3de19ee22a179379

Commit (trunk): https://sqlite.org/src/info/c96914ea02aa5be4

Report: https://sqlite.org/src/info/0899cf62f597d7e7
        "Segfault in sqlite3VdbeExec"
Commit (trunk): https://sqlite.org/src/info/2cddb24e911588d9

Commit (trunk): https://sqlite.org/src/info/3926ff1725710070

Commit (trunk): https://sqlite.org/src/info/03b32be44d9d2783

Report: https://sqlite.org/src/info/1f6f353b684fc708
        "Segfault in sqlite3VdbeExec"
Commit (trunk): https://sqlite.org/src/info/8583c3483c1b1ab2

Commit (trunk): https://sqlite.org/src/info/0e021887a1307fa3

Commit (branch-3.32): https://sqlite.org/src/info/05418b2a4a6e6a94
Comment 12 Arfrever Frehtes Taifersar Arahesis 2020-06-08 14:03:23 UTC
(In reply to comment #10, comment #11 and other regressions)
> * CVE-2020-13871
> 
> Report: https://sqlite.org/src/info/c8d3b9f0a750a529
>         "Use after free in resetAccumulator."
> Commit (trunk): https://sqlite.org/src/info/0b42a2277e5bf527
> Commit (branch-3.32): https://sqlite.org/src/info/79eff1d0383179c4
> 
> Other fixes in window-function parse-tree rewriting:
> 
> Commit (trunk): https://sqlite.org/src/info/c4072267dc870830
> 
> Commit (trunk): https://sqlite.org/src/info/3de19ee22a179379
> 
> Commit (trunk): https://sqlite.org/src/info/c96914ea02aa5be4
> 
> Report: https://sqlite.org/src/info/0899cf62f597d7e7
>         "Segfault in sqlite3VdbeExec"
> Commit (trunk): https://sqlite.org/src/info/2cddb24e911588d9
> 
> Commit (trunk): https://sqlite.org/src/info/3926ff1725710070
> 
> Commit (trunk): https://sqlite.org/src/info/03b32be44d9d2783
> 
> Report: https://sqlite.org/src/info/1f6f353b684fc708
>         "Segfault in sqlite3VdbeExec"
> Commit (trunk): https://sqlite.org/src/info/8583c3483c1b1ab2
> 
> Commit (trunk): https://sqlite.org/src/info/0e021887a1307fa3
> 
> Commit (branch-3.32): https://sqlite.org/src/info/05418b2a4a6e6a94
> 
> Report: https://sqlite.org/src/info/e5504e987e419fb0
>         "Segfault in sqlite3VdbeCursorMoveto"
> Report: https://sqlite.org/src/info/f7d890858f361402
>         "Segfault in moveToRoot"

All above commits were reverted in trunk and branch "branch-3.32" (i.e. moved to different branches).


New fixes:

Commit (trunk): https://sqlite.org/src/info/6e6b3729e0549de0
"When an Expr object is changed and that Expr is referenced by an AggInfo, then also update the AggInfo. Also, persist all AggInfo objects until the Parse object is destroyed. This is a new fix for ticket [c8d3b9f0a750a529] that avoids the follow-on problems identified by tickets [0899cf62f597d7e7], [1f6f353b684fc708], [e5504e987e419fb0], and [f7d890858f361402]."

Commit (branch-3.32): https://sqlite.org/src/info/44a58d6cb135a104
Comment 13 Arfrever Frehtes Taifersar Arahesis 2020-06-18 16:28:28 UTC
New fixes:

Report:               https://sqlite.org/src/info/7c6d876f84e6e7e2
                      "Use after free in resetAccumulator."
Commit (trunk):       https://sqlite.org/src/info/c29a9e484e1dd245
Commit (branch-3.32): https://sqlite.org/src/info/dafd2466a10f68ac

Commit (trunk):       https://sqlite.org/src/info/65179814aa0ae592
Commit (branch-3.32): https://sqlite.org/src/info/7e2833fb2be8e7df

Commit (trunk):       https://sqlite.org/src/info/094dcfe779613301
Commit (branch-3.32): https://sqlite.org/src/info/d31850fe50420cb0

Report:               https://sqlite.org/src/info/b706351c
                      "Segfault in sqlite3Select"
Commit (trunk):       https://sqlite.org/src/info/32a88bdd4be5acdc

Commit (trunk):       https://sqlite.org/src/info/44e573ecd5c2b601

Commit (trunk):       https://sqlite.org/src/info/9a4a40c45feb2bb8

Report:               https://bugs.chromium.org/p/chromium/issues/detail?id=1094247
                      "sqlite3_ossfuzz_fuzzer: Null-dereference READ in resolveExprStep"
Commit (trunk):       https://sqlite.org/src/info/ad738286e2441b5e

Report:               https://sqlite.org/src/info/e367f31901ea8700
                      "Assertion `pExpr->pAggInfo==pAggInfo' failed."
Commit (trunk):       https://sqlite.org/src/info/cc1fffdeddf42240

Report:               https://sqlite.org/src/info/9fb26d37cefaba40
                      "Assertion `flags3==pIn3->flags' failed."
Commit (trunk):       https://sqlite.org/src/info/90b1169d1b200d35

Report:               https://sqlite.org/src/info/8f157e8010b22af0
                      "Heap Buffer Overflow in multiSelectOrderBy"
Commit (trunk):       https://sqlite.org/src/info/10fa79d00f8091e5

Commit (trunk):       https://sqlite.org/src/info/a58a6d6fb241a50c

Commit (branch-3.32): https://sqlite.org/src/info/d55b8e7993997e6b

Commit (trunk):       https://sqlite.org/src/info/4adc0a1b0d84c2df
Commit (branch-3.32): https://sqlite.org/src/info/ea71fb7fabcce71a

Commit (trunk):       https://sqlite.org/src/info/4a340c9bc7d939ef
Commit (branch-3.32): https://sqlite.org/src/info/b69b9c0628feac9f
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 15:39:45 UTC
CVE-2020-15358:

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Patch: https://www.sqlite.org/src/info/10fa79d00f8091e5
Comment 15 Arfrever Frehtes Taifersar Arahesis 2020-06-29 23:48:06 UTC
New fixes:

Commit (trunk):       https://sqlite.org/src/info/cc888878ea8d5bc7

Commit (trunk):       https://sqlite.org/src/info/be545f85a6ef09cc

Commit (trunk):       https://sqlite.org/src/info/6e0ffa2053124168
Comment 16 Arfrever Frehtes Taifersar Arahesis 2020-06-30 19:12:22 UTC
New fixes:

Commit (trunk):       https://sqlite.org/src/info/4d0cfb1236884349
Comment 17 Larry the Git Cow gentoo-dev 2020-07-04 13:53:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51cc692bb2bd55a85dd31fbcd972fe590879e429

commit 51cc692bb2bd55a85dd31fbcd972fe590879e429
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2020-07-02 13:57:21 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-07-04 13:52:28 +0000

    dev-db/sqlite: Security fixes.
    
    Bug: https://bugs.gentoo.org/716748
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../files/sqlite-3.32.3-security_fixes.patch       | 146 +++++++++++++++++++++
 dev-db/sqlite/sqlite-3.32.3.ebuild                 |   1 +
 2 files changed, 147 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ace56886862557c51491ff03ab6a82fb5373786

commit 1ace56886862557c51491ff03ab6a82fb5373786
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2020-07-02 13:37:59 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-07-04 13:52:27 +0000

    dev-db/sqlite: Version bump (3.32.3).
    
    Bug: https://bugs.gentoo.org/716748
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 dev-db/sqlite/Manifest                             |   3 +
 .../files/sqlite-3.32.1-full_archive-build_1.patch | 670 +++++++++++++++++++++
 .../files/sqlite-3.32.1-full_archive-build_2.patch | 640 ++++++++++++++++++++
 dev-db/sqlite/sqlite-3.32.3.ebuild                 | 393 ++++++++++++
 4 files changed, 1706 insertions(+)
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 18:38:33 UTC
Arfrever mentioned he wants to wait ~ a week because of the large number of changes.
Comment 19 Allen Webb 2020-07-06 14:31:50 UTC
sqlite-3.32.3: error: include location '/usr/include' is unsafe for cross-compilation [-Werror,-Wpoison-system-directories]
sqlite-3.32.3: In file included from sqlite3.c:26208:
sqlite-3.32.3: /usr/include/pthread.h:744:12: warning: declaration of built-in function '__sigsetjmp' requires the declaration of the 'jmp_buf' type, commonly provided in the header <setjmp.h>. [-Wincomplete-setjmp-declaration]
sqlite-3.32.3: extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL;
sqlite-3.32.3:            ^
sqlite-3.32.3: 1 warning and 1 error generated.
sqlite-3.32.3: make: *** [Makefile:787: sqlite3.lo] Error 1
Comment 20 Arfrever Frehtes Taifersar Arahesis 2020-07-06 19:06:15 UTC
(In reply to allenwebb from comment #19)

Not regressions. File new bug, show `emerge --info` and attach full build log.
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 17:06:29 UTC
(In reply to Sam James from comment #18)
> Arfrever mentioned he wants to wait ~ a week because of the large number of
> changes.

ping
Comment 22 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-15 16:27:42 UTC
arm64 stable
Comment 23 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 02:48:50 UTC
s390 stable
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 19:39:55 UTC
ppc64 stable
Comment 25 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 19:41:23 UTC
arm stable (I hit bug 733092 on the previous version too)
Comment 26 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 23:27:45 UTC
ppc stable
Comment 27 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 18:13:29 UTC
sparc stable
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 04:57:16 UTC
CVE-2020-15358 (https://nvd.nist.gov/vuln/detail/CVE-2020-15358):
  In SQLite before 3.32.3, select.c mishandles query-flattener optimization,
  leading to a multiSelectOrderBy heap overflow because of misuse of
  transitive properties for constant propagation.
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:17:43 UTC
This issue was resolved and addressed in
 GLSA 202007-26 at https://security.gentoo.org/glsa/202007-26
by GLSA coordinator Sam James (sam_c).
Comment 30 Arfrever Frehtes Taifersar Arahesis 2020-07-27 01:07:26 UTC
Stabilization not yet finished on HPPA.
Comment 31 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 01:18:27 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #30)
> Stabilization not yet finished on HPPA.

Beat me to it!
Comment 32 Rolf Eike Beer archtester 2020-07-28 21:56:34 UTC
hppa stable
Comment 33 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-28 21:57:28 UTC
Please cleanup.