Bug 18869

Summary: sqlite3 new security issue CVE-2016-6153
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/693574/
Whiteboard: mga5-64-ok advisory
Source RPM: sqlite3-3.12.2-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-05 20:00:47 CEST 
A CVE has been assigned for an issue fixed in sqlite3 3.13.0:
http://openwall.com/lists/oss-security/2016/07/01/2

The relevant commits are linked in the thread above.

I'm not sure why this is being classified as a security issue, as it just sounds like a bug to me.  It is a legitimate bug, and would at least affect Mageia configurations using msec secure mode.

We should probably fix it at some point.

Mageia 5 is also affected.
David Walser 2016-07-05 20:01:02 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-06 18:42:21 CEST 
Debian-LTS has issued an advisory for this on July 5:
http://lwn.net/Alerts/693549/

URL: (none) => http://lwn.net/Vulnerabilities/693574/

Comment 2 David Walser 2016-07-07 21:14:46 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated sqlite3 packages fix security vulnerability:

It was discovered that sqlite3 would reject a temporary directory (e.g., as
specified by the TMPDIR environment variable) to which the executing user did
not have read permissions. This could result in information leakage as less
secure global temporary directories (e.g., /var/tmp or /tmp) would be used
instead (CVE-2016-6153).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153
http://lwn.net/Alerts/693549/
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.8.10.2-1.1.mga5
libsqlite3-devel-3.8.10.2-1.1.mga5
libsqlite3-static-devel-3.8.10.2-1.1.mga5
sqlite3-tools-3.8.10.2-1.1.mga5
lemon-3.8.10.2-1.1.mga5
sqlite3-tcl-3.8.10.2-1.1.mga5

from sqlite3-3.8.10.2-1.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-07-09 19:30:32 CEST 
The last person to update this package put the subrel in the wrong location in the spec so I didn't see it.  I just had to bump it and build it again.

libsqlite3_0-3.8.10.2-1.2.mga5
libsqlite3-devel-3.8.10.2-1.2.mga5
libsqlite3-static-devel-3.8.10.2-1.2.mga5
sqlite3-tools-3.8.10.2-1.2.mga5
lemon-3.8.10.2-1.2.mga5
sqlite3-tcl-3.8.10.2-1.2.mga5

from sqlite3-3.8.10.2-1.2.mga5.src.rpm
Comment 4 claire robinson 2016-07-14 17:41:09 CEST 
Testing complete mga5 64

Confirmed patch has been applied using rpmdiff on madb
Tested with a drupal sqlite installation.

Whiteboard: (none) => mga5-64-ok

Dave Hodgins 2016-07-14 20:06:32 CEST

Keywords: (none) => validated_update
Whiteboard: mga5-64-ok => mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-07-14 22:34:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0255.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED