Bug 30660

Summary: sqlite3 new security issue CVE-2022-35737
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, mhrambo3501, sysadmin-bugs
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: sqlite3-3.34.1-1.2.mga8.src.rpm CVE: CVE-2022-35737
Status comment:

Description David Walser 2022-07-22 16:56:30 CEST 
SQLite3 3.39.2 has been released on July 21, fixing a security issue:
https://www.sqlite.org/releaselog/3_39_2.html
David Walser 2022-07-22 16:56:41 CEST

Status comment: (none) => Fixed upstream in 3.39.2

Comment 1 Marja Van Waes 2022-07-24 22:44:59 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2022-07-27 20:49:06 CEST 
Updated package built for Mageia 8


Advisory:
========================

Updated sqlite3 package fixes security vulnerability:

It was discovered that sqlite contained an assertion failure upon queries when 
compiled with -DSQLITE_ENABLE_STAT4 (CVE-2022-35737).


References:
https://www.sqlite.org/releaselog/3_39_2.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35737
https://sqlite.org/forum/forumpost/3607259d3c
========================

Updated packages in core/updates_testing:
========================
lemon-3.39.2-1.mga8.x86_64.rpm
lib64sqlite3_0-3.39.2-1.mga8.x86_64.rpm
lib64sqlite3-devel-3.39.2-1.mga8.x86_64.rpm
lib64sqlite3-static-devel-3.39.2-1.mga8.x86_64.rpm
sqlite3-tcl-3.39.2-1.mga8.x86_64.rpm
sqlite3-tools-3.39.2-1.mga8.x86_64.rpm

from sqlite3-3.39.2-1.mga8.src.rpm


Possible testing procedure: https://bugs.mageia.org/show_bug.cgi?id=30384#c3

Keywords: (none) => has_procedure
Status comment: Fixed upstream in 3.39.2 => (none)
CC: (none) => mhrambo3501
CVE: (none) => CVE-2022-35737
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2022-07-30 14:00:01 CEST 
MGA8-64  Plasma on Acer Aspire 5253
No installation issues.
Did the same as in procedure suggested above:
With sqlitesudio created a new database and create a new table in it with a PK, not null string, other string without rules and a timestamp column. Populated a few rows, all worked OK.

CC: (none) => herman.viaene

Herman Viaene 2022-07-30 14:00:17 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-08-01 14:09:34 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-08-03 00:25:26 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-08-05 23:01:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0273.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2022-10-25 23:04:13 CEST 
Full explanation of this vulnerability:
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/