Bug 21200

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Fedora has issued an advisory for this today (July 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5LTI7HXMO72BGOW6GWY4GIWPZBXLF3UH/

The newest Chrome update mentions CVE-2017-7000 in SQLite, so this may be affected:
https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html

CVE-2017-10989 only affects Mageia 5 (< 3.17), according to RedHat.

I found the patch from Google Chrome for CVE-2017-7000, which was a relatively easy rediff for 3.17 in Mageia 6 (checked into SVN), but not so much for Mageia 5.

Version: Cauldron => 6
Summary: sqlite3 new security issue CVE-2017-10989 => sqlite3 new security issues CVE-2017-10989 and CVE-2017-7000
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Patch for CVE-2017-7000 successfully rediffed for Mageia 5 and checked into SVN.

Patch for CVE-2017-10989 also checked into Mageia 5 SVN.

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated sqlite3 package fixes security vulnerability:

Pointer disclosure in SQLite (CVE-2017-7000).

The getNodeSize function in ext/rtree/rtree.c in SQLite mishandles undersized
RTree blobs in a crafted database, leading to a heap-based buffer over-read or
possibly unspecified other impact (CVE-2017-10989).

Note: the CVE-2017-10989 issue only affected Mageia 5.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989
https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5LTI7HXMO72BGOW6GWY4GIWPZBXLF3UH/
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.10.2-1.1.mga5
libsqlite3-devel-3.10.2-1.1.mga5
libsqlite3-static-devel-3.10.2-1.1.mga5
sqlite3-tools-3.10.2-1.1.mga5
lemon-3.10.2-1.1.mga5
sqlite3-tcl-3.10.2-1.1.mga5
libsqlite3_0-3.17.0-2.1.mga6
libsqlite3-devel-3.17.0-2.1.mga6
libsqlite3-static-devel-3.17.0-2.1.mga6
sqlite3-tools-3.17.0-2.1.mga6
lemon-3.17.0-2.1.mga6
sqlite3-tcl-3.17.0-2.1.mga6

from SRPMS:
sqlite3-3.10.2-1.1.mga5.src.rpm
sqlite3-3.17.0-2.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Installed and tested (e.g. created DB, sqlite using programs) without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver.

$ rpm -qa | grep sqlite3 | sort
lib64sqlite3_0-3.10.2-1.1.mga5
sqlite3-tools-3.10.2-1.1.mga5
$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

MGA6-32 on Asus A6000VM MATE
No installation issues.
Found a small test in https://www.acmesystems.it/sqlite
I will upload the create.sql file
At CLI:
$ sqlite3 testlite.db
SQLite version 3.17.0 2017-02-13 16:02:40
Enter ".help" for usage hints.
sqlite> .databases
main: /home/tester6/testlite.db
sqlite> .tables
sqlite> .quit
$ sqlite3 testlite.db < create.sql
[tester6@mach6 Documenten]$ sqlite3 testlite.db
SQLite version 3.17.0 2017-02-13 16:02:40
Enter ".help" for usage hints.
sqlite> select * from events; 
2017-08-02 14:07:04|First test event
2017-08-02 14:07:04|Second test event
sqlite> .quit
Looks OK.

CC: (none) => herman.viaene

Created attachment 9555 [details]
create a test table for sqlite3

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0238.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED