Bug 24045

Summary: sqlite3 new security issues CVE-2018-20346 and CVE-2018-20506
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: sqlite3-3.22.0-2.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-12-23 00:24:22 CET 
A security issue fixed upstream in sqlite3 has been announced:
https://www.openwall.com/lists/oss-security/2018/12/21/1

The issue is fixed in 3.25.3.
Comment 1 Marja Van Waes 2018-12-23 23:06:20 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-12-24 15:54:14 CET 
Update built for Mageia 6 by Shlomi.

libsqlite3_0-3.25.3-1.mga6
libsqlite3-devel-3.25.3-1.mga6
libsqlite3-static-devel-3.25.3-1.mga6
sqlite3-tools-3.25.3-1.mga6
lemon-3.25.3-1.mga6
sqlite3-tcl-3.25.3-1.mga6

from sqlite3-3.25.3-1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 3 David Walser 2018-12-25 21:50:39 CET 
Fedora has issued an advisory for this on December 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AETFV2K52IOQ4PVVB6HT3KP2XGEMNL2E/

Severity: normal => critical

Comment 4 Herman Viaene 2018-12-26 10:22:09 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref bug 21200 for test file and Comment 9 for test procedure.
At CLI:
$ sqlite3 testlite.db
SQLite version 3.25.3 2018-11-05 20:37:38
Enter ".help" for usage hints.
sqlite> .databases
main: /home/tester6/Documenten/testlite.db
sqlite> .tables
sqlite> .quit
$ sqlite3 testlite.db < create.sql
$ sqlite3 testlite.db
SQLite version 3.25.3 2018-11-05 20:37:38
Enter ".help" for usage hints.
sqlite> select * from events;
2018-12-26 09:04:29|First test event
2018-12-26 09:04:29|Second test event
sqlite> .quit
$ sqlite3 testlite.db
SQLite version 3.25.3 2018-11-05 20:37:38
Enter ".help" for usage hints.
sqlite> .help
.archive ...           Manage SQL archives: ".archive --help" for details
.auth ON|OFF           Show authorizer callbacks
.backup ?DB? FILE      Backup DB (default "main") to FILE
                         Add "--append" to open using appendvfs.
.bail on|off           Stop after hitting an error.  Default OFF
.binary on|off         Turn binary output on or off.  Default OFF
.cd DIRECTORY          Change the working directory to DIRECTORY
and a lot more...

Seems OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2018-12-26 21:11:25 CET 
Advisory done from title, comments 0, 2, 3. Validating (thanks Herman).

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2018-12-27 00:09:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0489.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2019-04-25 00:12:11 CEST 
This update also fixed CVE-2018-20506:
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005313.html

Summary: sqlite3 new security issue CVE-2018-20346 => sqlite3 new security issues CVE-2018-20346 and CVE-2018-20506