A CVE has been assigned for an issue fixed in sqlite3 3.13.0: http://openwall.com/lists/oss-security/2016/07/01/2 The relevant commits are linked in the thread above. I'm not sure why this is being classified as a security issue, as it just sounds like a bug to me. It is a legitimate bug, and would at least affect Mageia configurations using msec secure mode. We should probably fix it at some point. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian-LTS has issued an advisory for this on July 5: http://lwn.net/Alerts/693549/
URL: (none) => http://lwn.net/Vulnerabilities/693574/
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated sqlite3 packages fix security vulnerability: It was discovered that sqlite3 would reject a temporary directory (e.g., as specified by the TMPDIR environment variable) to which the executing user did not have read permissions. This could result in information leakage as less secure global temporary directories (e.g., /var/tmp or /tmp) would be used instead (CVE-2016-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153 http://lwn.net/Alerts/693549/ ======================== Updated packages in core/updates_testing: ======================== libsqlite3_0-3.8.10.2-1.1.mga5 libsqlite3-devel-3.8.10.2-1.1.mga5 libsqlite3-static-devel-3.8.10.2-1.1.mga5 sqlite3-tools-3.8.10.2-1.1.mga5 lemon-3.8.10.2-1.1.mga5 sqlite3-tcl-3.8.10.2-1.1.mga5 from sqlite3-3.8.10.2-1.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => (none)
The last person to update this package put the subrel in the wrong location in the spec so I didn't see it. I just had to bump it and build it again. libsqlite3_0-3.8.10.2-1.2.mga5 libsqlite3-devel-3.8.10.2-1.2.mga5 libsqlite3-static-devel-3.8.10.2-1.2.mga5 sqlite3-tools-3.8.10.2-1.2.mga5 lemon-3.8.10.2-1.2.mga5 sqlite3-tcl-3.8.10.2-1.2.mga5 from sqlite3-3.8.10.2-1.2.mga5.src.rpm
Testing complete mga5 64 Confirmed patch has been applied using rpmdiff on madb Tested with a drupal sqlite installation.
Whiteboard: (none) => mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: mga5-64-ok => mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0255.html
Status: NEW => RESOLVEDResolution: (none) => FIXED