Fedora has issued an advisory on April 18: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155801.html The issues are fixed upstream in 3.8.9. We will need to update this for the next Firefox ESR soon anyway. Reproducible: Steps to Reproduce:
CC: (none) => fundawang, thierry.vignaudWhiteboard: (none) => MGA5TOO, MGA4TOO
Update to 3.8.9 checked into Mageia 4 and Cauldron SVN. Freeze push requested.
URL: (none) => http://lwn.net/Vulnerabilities/641592/
CVE-2015-3414: https://bugzilla.redhat.com/show_bug.cgi?id=1212353 CVE-2015-3415: https://bugzilla.redhat.com/show_bug.cgi?id=1212356 CVE-2015-3416: https://bugzilla.redhat.com/show_bug.cgi?id=1212357
CC: (none) => oe
Proposed advisory: Multiple vulnerabilities has been found and corrected in sqlite3: SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement (CVE-2015-3414). The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement (CVE-2015-3415). The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement (CVE-2015-3416). The updated packages provides a solution for these security issues.
sqlite3-3.8.9-1.mga5 uploaded for Cauldron. Thanks for the advisory Oden. Do you think we should push this update soon, or would it be OK to wait until we update to the next Firefox ESR (38)?
Whiteboard: MGA5TOO, MGA4TOO => (none)Version: Cauldron => 4
Mandriva has issued an advisory for this today (April 30): http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A217/
Rather than waiting for the next ESR, we can include this with the next round of Mozilla updates (should be the last ESR31), which I hear are expected next Tuesday (May 12). We'll also be updating rootcerts and nss: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
We'll update to 3.8.10.1 when we do the next round of Mozilla updates. It's already updated as such in Cauldron. CVE request for additional issues fixed in 3.8.10.1: http://openwall.com/lists/oss-security/2015/05/12/7
Depends on: (none) => 15920
Fixed in http://advisories.mageia.org/MGASA-2015-0234.html
Status: NEW => RESOLVEDResolution: (none) => FIXED