Bug 30384

Summary: sqlite3 new security issue CVE-2021-36690
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: sqlite3-3.34.1-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-05-05 17:38:03 CEST 
Ubuntu has issued an advisory today (May 5):
https://ubuntu.com/security/notices/USN-5403-1

The CVE is disputed and the issue only affects the sqlite3 command, not the library.  We probably don't need to push a fix for this right away (could possibly wait for more CVEs).
Comment 1 Nicolas Lécureuil 2022-05-05 22:25:17 CEST 
Fixed in mga8:


src.rpm:
        - sqlite3-3.34.1-1.2.mga8

CC: (none) => mageia
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2022-05-05 23:22:11 CEST 
sqlite3-tools-3.34.1-1.2.mga8
libsqlite3_0-3.34.1-1.2.mga8
libsqlite3-devel-3.34.1-1.2.mga8
lemon-3.34.1-1.2.mga8
sqlite3-tcl-3.34.1-1.2.mga8
libsqlite3-static-devel-3.34.1-1.2.mga8

from sqlite3-3.34.1-1.2.mga8.src.rpm
Comment 3 Herman Viaene 2022-05-10 14:04:23 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Installed sqlitestudio alongside and used that to create a new database and create a new table in it with a PK, not null string, other sring without rules and a timestamp column. Populated a few rows, all worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-05-10 14:23:56 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Dave Hodgins 2022-05-12 00:06:23 CEST 
Advisory committed to svn as ...
type: security
subject: Updated sqlite3 packages fix security vulnerability
CVE:
 - CVE-2021-36690
src:
  8:
   core:
     - sqlite3-3.34.1-1.2.mga8
description: |
  ** DISPUTED ** A segmentation fault can occur in the sqlite3.exe
  command-line component of SQLite 3.36.0 via the idxGetTableInfo function
  when there is a crafted SQL query. NOTE: the vendor disputes the relevance
  of this report because a sqlite3.exe user already has full privileges
  (e.g., is intentionally allowed to execute commands). This report does NOT
  imply any problem in the SQLite library.
  
  As the cve assignment is disputed, this update may be changed in future
  from a security update to a bugfix update.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30384
 - https://ubuntu.com/security/notices/USN-5403-1

CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-12 12:26:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED