Bug 31312

Summary: sqlite3 new security issue CVE-2022-46908
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: sqlite3-3.39.2-1.mga8.src.rpm CVE: CVE-2022-46908
Status comment:

Description David Walser 2022-12-22 16:25:08 CET 
SUSE has issued an advisory on December 21:
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013303.html

Mageia 8 is also affected.
David Walser 2022-12-22 16:25:16 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-12-22 20:06:15 CET 
It seems these packages are mofified:
 libsqlite3-0 >= 3.39.3-150000.3.20.1
 libsqlite3-0-32bit >= 3.39.3-150000.3.20.1
 sqlite3 >= 3.39.3-150000.3.20.1
 sqlite3-devel >= 3.39.3-150000.3.20.1
 sqlite3-tcl >= 3.39.3-150000.3.20.1

Following the advisory links, I could not arrive nearer to the patch than:
SUSE Linux Enterprise Software Development Kit 12-SP5:
      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4603=1
SUSE Linux Enterprise Server 12-SP5:
      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-4603=1

Stig is the main committer for sqlite3 version updates, so assigning to you. This looks more complicated.

Assignee: bugsquad => smelror

Comment 2 David Walser 2022-12-28 17:56:25 CET 
openSUSE has issued an advisory for this today (December 28):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XNUCFJDJQRYX6KHGSM7ODVW7QJMN7GP5/
Comment 3 Nicolas Salguero 2023-03-13 15:21:17 CET 
Hi,

For Cauldron, sqlite3-3.40.1-1.mga9 solves that issue.

Best regards,

Nico.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Comment 4 Nicolas Salguero 2023-03-13 15:43:12 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE. (CVE-2022-46908)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46908
https://lists.suse.com/pipermail/sle-security-updates/2022-December/013303.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XNUCFJDJQRYX6KHGSM7ODVW7QJMN7GP5/
========================

Updated packages in core/updates_testing:
========================
lemon-3.39.2-1.1.mga8
lib(64)sqlite3_0-3.39.2-1.1.mga8
lib(64)sqlite3-devel-3.39.2-1.1.mga8
lib(64)sqlite3-static-devel-3.39.2-1.1.mga8
sqlite3-tcl-3.39.2-1.1.mga8
sqlite3-tools-3.39.2-1.1.mga8

from SRPM:
sqlite3-3.39.2-1.1.mga8.src.rpm

Assignee: smelror => qa-bugs
Status: NEW => ASSIGNED
Source RPM: sqlite3-3.40.0-1.mga9.src.rpm => sqlite3-3.39.2-1.mga8.src.rpm
CVE: (none) => CVE-2022-46908

Comment 5 Herman Viaene 2023-03-16 15:26:35 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
As in bug 30660, used sqlitestudio to delete existing database, created a new database and create a new table in it with a PK, not null string, other string without rules and a timestamp column. Populated a few rows, all worked OK.

CC: (none) => herman.viaene

Herman Viaene 2023-03-16 15:26:50 CET

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-03-16 15:30:03 CET 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-17 23:33:44 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-03-18 23:18:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0094.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED