18869 – sqlite3 new security issue CVE-2016-6153

Bug 18869 - sqlite3 new security issue CVE-2016-6153

Summary: sqlite3 new security issue CVE-2016-6153

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/693574/
Whiteboard:	mga5-64-ok advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-07-05 20:00 CEST by David Walser
Modified:	2016-07-14 22:34 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	sqlite3-3.12.2-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-05 20:00:47 CEST

A CVE has been assigned for an issue fixed in sqlite3 3.13.0:
http://openwall.com/lists/oss-security/2016/07/01/2

The relevant commits are linked in the thread above.

I'm not sure why this is being classified as a security issue, as it just sounds like a bug to me.  It is a legitimate bug, and would at least affect Mageia configurations using msec secure mode.

We should probably fix it at some point.

Mageia 5 is also affected.

David Walser 2016-07-05 20:01:02 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-06 18:42:21 CEST

Debian-LTS has issued an advisory for this on July 5:
http://lwn.net/Alerts/693549/

URL: (none) => http://lwn.net/Vulnerabilities/693574/

Comment 2 David Walser 2016-07-07 21:14:46 CEST

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated sqlite3 packages fix security vulnerability:

It was discovered that sqlite3 would reject a temporary directory (e.g., as
specified by the TMPDIR environment variable) to which the executing user did
not have read permissions. This could result in information leakage as less
secure global temporary directories (e.g., /var/tmp or /tmp) would be used
instead (CVE-2016-6153).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153
http://lwn.net/Alerts/693549/
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.8.10.2-1.1.mga5
libsqlite3-devel-3.8.10.2-1.1.mga5
libsqlite3-static-devel-3.8.10.2-1.1.mga5
sqlite3-tools-3.8.10.2-1.1.mga5
lemon-3.8.10.2-1.1.mga5
sqlite3-tcl-3.8.10.2-1.1.mga5

from sqlite3-3.8.10.2-1.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-07-09 19:30:32 CEST

The last person to update this package put the subrel in the wrong location in the spec so I didn't see it.  I just had to bump it and build it again.

libsqlite3_0-3.8.10.2-1.2.mga5
libsqlite3-devel-3.8.10.2-1.2.mga5
libsqlite3-static-devel-3.8.10.2-1.2.mga5
sqlite3-tools-3.8.10.2-1.2.mga5
lemon-3.8.10.2-1.2.mga5
sqlite3-tcl-3.8.10.2-1.2.mga5

from sqlite3-3.8.10.2-1.2.mga5.src.rpm

Comment 4 claire robinson 2016-07-14 17:41:09 CEST

Testing complete mga5 64

Confirmed patch has been applied using rpmdiff on madb
Tested with a drupal sqlite installation.

Whiteboard: (none) => mga5-64-ok

Dave Hodgins 2016-07-14 20:06:32 CEST

Keywords: (none) => validated_update
Whiteboard: mga5-64-ok => mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-07-14 22:34:49 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0255.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.