| Summary: | sqlite3 new security issues CVE-2019-13734 and CVE-2019-1375[0-3] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, jim, shlomif, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | sqlite3-3.30.1-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 25801, 26137, 26138 | ||
|
Description
David Walser
2020-01-18 20:27:16 CET
David Walser
2020-01-18 20:27:34 CET
Blocks:
(none) =>
26103, 25801 This SRPM has been nursed by various people, so assigning the bug globally. Assignee:
bugsquad =>
pkg-bugs
David Walser
2020-01-18 21:03:32 CET
Blocks:
26103 =>
(none) Fixed in Cauldron by Shlomi in sqlite3-3.31.0-1.mga8. Version:
Cauldron =>
7 Done also for mga7 with latest 3.31.0 release! CC:
(none) =>
geiger.david68210 Thanks David! Does this also fix the issues in Bug 25801? Preliminary advisory below... Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html ======================== Updated packages in core/updates_testing: ======================== libsqlite3_0-3.31.0-1.mga7 libsqlite3-devel-3.31.0-1.mga7 libsqlite3-static-devel-3.31.0-1.mga7 sqlite3-tools-3.31.0-1.mga7 lemon-3.31.0-1.mga7 sqlite3-tcl-3.31.0-1.mga7 from sqlite3-3.31.0-1.mga7.src.rpm Status comment:
Fixed upstream in 3.31.0 =>
(none) (In reply to David Walser from comment #4) > Thanks David! Does this also fix the issues in Bug 25801? > I hope so.... Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service (CVE-2019-16168). It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to mishandles some expressions (CVE-2019-19242). It was discovered that SQLite incorrectly handled certain queries. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-19244). An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244 https://usn.ubuntu.com/4205-1/ https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html It looks like tv added an additional patch for CVE-2019-19880 and CVE-2019-19926 in Cauldron, so we should add it here too. Keywords:
(none) =>
feedback Oh nevermind, those CVEs were already fixed in 3.31.0. Adding to the advisory. Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service (CVE-2019-16168). It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to mishandles some expressions (CVE-2019-19242). It was discovered that SQLite incorrectly handled certain queries. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-19244). exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled (CVE-2019-19880). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880 https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html https://usn.ubuntu.com/4205-1/ Keywords:
feedback =>
(none)
Thomas Andrews
2020-01-27 19:11:15 CET
Blocks:
(none) =>
26138 Bug 26138 (Thunderbird) will not update without the lib64sqlite package. So, I updated these packages, Thunderbird, and bug 26137 (Firefox) all in one operation. All packages installed cleanly. More detailed tests are probably needed, but in so far as Thunderbird uses this, it worked OK. CC:
(none) =>
andrewsfarm MGA7-64 Plasma on Lenovo B50 No installation issues, but this caused some 5 or 6 packages, leftover from the dependencies of QGIS, to be removed as these are reported to be dependent on sqlite version 3.28. Installed sqlitestudio alongside and used that to create a new database ans create a new table in it. Will come back for OK, after testing Thundebird and Firefox versions. CC:
(none) =>
herman.viaene 3.31.1 fixes a couple of regressions, perhaps we should update again...: https://www.sqlite.org/releaselog/3_31_1.html Yes, it reportedly can break thunderbird, firefox and other mozilla based stuff, so I'd suggest we bump to 3.31.1 and then rebuild both thunderbird and firefox to ensure they still work... CC:
(none) =>
tmb OK I updated it. libsqlite3_0-3.31.1-1.mga7 libsqlite3-devel-3.31.1-1.mga7 libsqlite3-static-devel-3.31.1-1.mga7 sqlite3-tools-3.31.1-1.mga7 lemon-3.31.1-1.mga7 sqlite3-tcl-3.31.1-1.mga7 from sqlite3-3.31.1-1.mga7.src.rpm Hmm. The error message I got when trying to update Thunderbird specified a lib64sqlite3_0 greater than or equal to 3.31.0, so this stuff should install OK along with the already-updated Firefox and Thunderbird on this system. Of course, that doesn't mean those two apps won't be broken. Should I go ahead and install the packages from here and see if they break FF and/or T-bird as they are, or would it be wiser just to wait for rebuilt versions that will be coming anyway and do all at once?
Thomas Backlund
2020-01-28 19:52:22 CET
Keywords:
(none) =>
advisory Thomas, everything is built. You may proceed with testing.
Nicolas Salguero
2020-01-29 09:19:31 CET
Blocks:
(none) =>
26137 Repeated test as per Comment 10, looks OK. Updated packages from all three bugs in one operation, as in Comment 9, except on different hardware. The following 8 packages are going to be installed: - firefox-68.4.2-3.mga7.x86_64 - firefox-en_US-68.4.2-1.mga7.noarch - lib64nss3-3.49.2-1.mga7.x86_64 - lib64sqlite3_0-3.31.1-1.mga7.x86_64 - nss-3.49.2-1.mga7.x86_64 - sqlite3-tools-3.31.1-1.mga7.x86_64 - thunderbird-68.4.2-3.mga7.x86_64 - thunderbird-en_US-68.4.2-1.mga7.noarch Packages installed cleanly, and everything seems to work. Will test on the system I updated in Comment 9 in a few minutes. The system from Comment 9 seems to be working OK, too. on mga7-64 kernel-desktop plasma packages installed cleanly: - lib64sqlite3_0-3.31.1-1.mga7.x86_64 - sqlite3-tools-3.31.1-1.mga7.x86_64 no regressions noted firefox and thunderbird updated and run OK This update looks OK for mga7-64. CC:
(none) =>
jim OK for me after installing new versions of Firefox and Thundebird. Whiteboard:
(none) =>
MGA7-64-OK Time to let these go. Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0070.html Resolution:
(none) =>
FIXED I believe this update also addressed: CVE-2019-19603 CVE-2019-19645 as seen in: https://usn.ubuntu.com/4394-1/ |