| Summary: | sqlite3 new security issues CVE-2023-2137 and CVE-2023-7104 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | sqlite3-3.40.1-1.mga9.src.rpm | CVE: | CVE-2023-2137, CVE-2023-7104 |
| Status comment: | |||
|
Description
David Walser
2023-05-04 17:26:28 CEST
David Walser
2023-05-04 17:26:36 CEST
Whiteboard:
(none) =>
MGA8TOO Assigning to Stig, the current packager looking after sqlite3. Assignee:
bugsquad =>
smelror Ubuntu has issued an advisory on January 3: https://ubuntu.com/security/notices/USN-6566-1 CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap buffer overflow in sqlite. (CVE-2023-2137) A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. (CVE-2023-7104) References: https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html https://ubuntu.com/security/notices/USN-6566-1 ======================== Updated packages in core/updates_testing: ======================== lemon-3.40.1-1.1.mga9 lib(64)sqlite3_0-3.40.1-1.1.mga9 lib(64)sqlite3-devel-3.40.1-1.1.mga9 lib(64)sqlite3-static-devel-3.40.1-1.1.mga9 sqlite3-tcl-3.40.1-1.1.mga9 sqlite3-tools-3.40.1-1.1.mga9 from SRPM: sqlite3-3.40.1-1.1.mga9.src.rpm Assignee:
smelror =>
qa-bugs
PC LX
2024-03-14 18:14:13 CET
CC:
(none) =>
mageia
katnatek
2024-03-14 20:18:09 CET
Keywords:
(none) =>
advisory
katnatek
2024-03-16 18:27:08 CET
CC:
(none) =>
herman.viaene Herman Viaene can you please do the same test that in previous rounds? Thank you
katnatek
2024-03-17 00:22:35 CET
CC:
(none) =>
andrewsfarm RH mageia 9 x86_64
Install all the packages, uninstall devel and extra packages, keep the updated lib64sqlite3_0
LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
installing lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64.rpm sqlite3-tools-3.40.1-1.1.mga9.x86_64.rpm lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64.rpm lib64sqlite3_0-3.40.1-1.1.mga9.x86_64.rpm sqlite3-tcl-3.40.1-1.1.mga9.x86_64.rpm lemon-3.40.1-1.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64
Preparing... ######################################################################################
1/6: lib64sqlite3_0 ######################################################################################
2/6: sqlite3-tools ######################################################################################
3/6: lib64sqlite3-devel ######################################################################################
4/6: lib64sqlite3-static-devel
######################################################################################
5/6: sqlite3-tcl ######################################################################################
6/6: lemon ######################################################################################
1/1: removing lib64sqlite3_0-3.40.1-1.mga9.x86_64
######################################################################################
urpme $(rpm -qa|grep sqlite3|grep devel) lemon
quitando lemon-3.40.1-1.1.mga9.x86_64 lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64 lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64
quitando paquete lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64
1/3: quitando lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64
######################################################################################
quitando paquete lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64
2/3: quitando lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64
######################################################################################
quitando paquete lemon-3.40.1-1.1.mga9.x86_64
3/3: quitando lemon-3.40.1-1.1.mga9.x86_64
######################################################################################
LC_ALL=C urpme sqlite3-tools sqlite3-tcl
removing sqlite3-tcl-3.40.1-1.1.mga9.x86_64 sqlite3-tools-3.40.1-1.1.mga9.x86_64
removing package sqlite3-tcl-3.40.1-1.1.mga9.x86_64
1/2: removing sqlite3-tcl-3.40.1-1.1.mga9.x86_64
######################################################################################
removing package sqlite3-tools-3.40.1-1.1.mga9.x86_64
2/2: removing sqlite3-tools-3.40.1-1.1.mga9.x86_64
######################################################################################
@Comment 4: your wish is my command. Installed sqlitestudio and repeated test as in bug 31312 : table with autoincrement primary key, unique text field, other text field without rules and a timestamp. Works OK. Whiteboard:
(none) =>
MGA9-64-OK Herman test (thank you for that) was enough in previous rounds CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0073.html Status:
ASSIGNED =>
RESOLVED |