Bug 15756

Summary: sqlite3 new security issues fixed upstream in 3.8.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, oe, thierry.vignaud
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/641592/
Whiteboard:
Source RPM: sqlite3-3.8.7.4-2.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 15920    
Bug Blocks:    

Description David Walser 2015-04-23 15:12:34 CEST 
Fedora has issued an advisory on April 18:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155801.html

The issues are fixed upstream in 3.8.9.

We will need to update this for the next Firefox ESR soon anyway.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-23 15:12:48 CEST

CC: (none) => fundawang, thierry.vignaud
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-23 20:03:08 CEST 
Update to 3.8.9 checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
David Walser 2015-04-23 20:05:16 CEST

URL: (none) => http://lwn.net/Vulnerabilities/641592/

Comment 3 Oden Eriksson 2015-04-30 09:15:32 CEST 
Proposed advisory:

Multiple vulnerabilities has been found and corrected in sqlite3:

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement (CVE-2015-3414).

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement (CVE-2015-3415).

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement (CVE-2015-3416).

The updated packages provides a solution for these security issues.
Comment 4 David Walser 2015-04-30 15:17:50 CEST 
sqlite3-3.8.9-1.mga5 uploaded for Cauldron.

Thanks for the advisory Oden.  Do you think we should push this update soon, or would it be OK to wait until we update to the next Firefox ESR (38)?

Whiteboard: MGA5TOO, MGA4TOO => (none)
Version: Cauldron => 4

Comment 5 David Walser 2015-04-30 15:22:42 CEST 
Mandriva has issued an advisory for this today (April 30):
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A217/
Comment 6 David Walser 2015-05-07 18:16:56 CEST 
Rather than waiting for the next ESR, we can include this with the next round of Mozilla updates (should be the last ESR31), which I hear are expected next Tuesday (May 12).  We'll also be updating rootcerts and nss:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
Comment 7 David Walser 2015-05-12 19:04:51 CEST 
We'll update to 3.8.10.1 when we do the next round of Mozilla updates.  It's already updated as such in Cauldron.

CVE request for additional issues fixed in 3.8.10.1:
http://openwall.com/lists/oss-security/2015/05/12/7
David Walser 2015-05-17 18:24:39 CEST

Depends on: (none) => 15920

Comment 8 David Walser 2015-05-18 21:27:25 CEST 
Fixed in http://advisories.mageia.org/MGASA-2015-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED