Bug 15756 - sqlite3 new security issues fixed upstream in 3.8.9
Summary: sqlite3 new security issues fixed upstream in 3.8.9
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/641592/
Whiteboard:
Keywords:
Depends on: 15920
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-23 15:12 CEST by David Walser
Modified: 2015-05-18 21:27 CEST (History)
3 users (show)

See Also:
Source RPM: sqlite3-3.8.7.4-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-23 15:12:34 CEST
Fedora has issued an advisory on April 18:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155801.html

The issues are fixed upstream in 3.8.9.

We will need to update this for the next Firefox ESR soon anyway.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-23 15:12:48 CEST

CC: (none) => fundawang, thierry.vignaud
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-23 20:03:08 CEST
Update to 3.8.9 checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
David Walser 2015-04-23 20:05:16 CEST

URL: (none) => http://lwn.net/Vulnerabilities/641592/

Comment 3 Oden Eriksson 2015-04-30 09:15:32 CEST
Proposed advisory:

Multiple vulnerabilities has been found and corrected in sqlite3:

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement (CVE-2015-3414).

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement (CVE-2015-3415).

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement (CVE-2015-3416).

The updated packages provides a solution for these security issues.
Comment 4 David Walser 2015-04-30 15:17:50 CEST
sqlite3-3.8.9-1.mga5 uploaded for Cauldron.

Thanks for the advisory Oden.  Do you think we should push this update soon, or would it be OK to wait until we update to the next Firefox ESR (38)?

Whiteboard: MGA5TOO, MGA4TOO => (none)
Version: Cauldron => 4

Comment 5 David Walser 2015-04-30 15:22:42 CEST
Mandriva has issued an advisory for this today (April 30):
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A217/
Comment 6 David Walser 2015-05-07 18:16:56 CEST
Rather than waiting for the next ESR, we can include this with the next round of Mozilla updates (should be the last ESR31), which I hear are expected next Tuesday (May 12).  We'll also be updating rootcerts and nss:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
Comment 7 David Walser 2015-05-12 19:04:51 CEST
We'll update to 3.8.10.1 when we do the next round of Mozilla updates.  It's already updated as such in Cauldron.

CVE request for additional issues fixed in 3.8.10.1:
http://openwall.com/lists/oss-security/2015/05/12/7
David Walser 2015-05-17 18:24:39 CEST

Depends on: (none) => 15920

Comment 8 David Walser 2015-05-18 21:27:25 CEST
Fixed in http://advisories.mageia.org/MGASA-2015-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.