Bug 30987

Summary: tcl uses bundled sqlite3 instead of system one (bsc#1195773)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: tcl-8.6.12-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-10-19 16:46:02 CEST 
SUSE has issued an advisory today (October 19):
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012573.html

Mageia 8 is also affected.
David Walser 2022-10-19 16:46:08 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-19 20:13:01 CEST 
The advisory is for Suse itself, also the patches (which I could not find); their bug
 https://bugzilla.suse.com/1195773

Assigning this globally as 'tcl' has had various maintainers.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2023-06-27 03:20:35 CEST 
I just checked code in both pkgs for mga8 and Cauldron and neither of them uses a bundled copy of sqlite3, they haven't a folder called "./pkgs/sqlite3/".

We can close this bug as INVALID!

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-06-27 04:27:08 CEST 
Are you sure?  The TCL and libtcl packages don't have libsqlite3 as a dependency.
Comment 4 David GEIGER 2023-06-27 05:46:51 CEST 
Yes completely sure. I don't found any "sqlite3" related code in the source.

Opensuse says:

- Remove the SQLite extension and package it as a subpackage of
  sqlite3 to have only a single copy and keep it more up to date
  (bsc#1195773).


And we have also a sqlite3-tcl sub-pkg provided directly with our sqlite3 src.rpm.
Comment 5 David Walser 2023-06-27 13:54:43 CEST 
Thanks!

Status: NEW => RESOLVED
Resolution: (none) => INVALID