A security issue fixed upstream in sqlite3 has been announced with a CVE: http://openwall.com/lists/oss-security/2018/03/17/1 Patched package uploaded for Cauldron. Patch checked into SVN for Mageia 6. Mageia 5 is also affected, but the patch would need to be rediffed.
I've also checked a rediffed patch for this in to Mageia 5 SVN for the firefox package, as it builds with the bundled sqlite3 (Mageia 6 uses the system sqlite3).
Status comment: (none) => Fix checked into SVN for mga6
Assigning to the registered sqlite3 maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Patch checked into Mageia 5 SVN for sqlite3 as well.
Status comment: Fix checked into SVN for mga6 => Fix checked into SVNWhiteboard: (none) => MGA5TOO
After toggling bcond_without check in the .spec of 6/sqlite3 and building it the tests are failing with a compile error. Is it safe to proceed?
(In reply to Shlomi Fish from comment #4) > After toggling bcond_without check in the .spec of 6/sqlite3 and building it > the tests are failing with a compile error. Is it safe to proceed? Was this case before the patch was added?
Shlomi confirmed on IRC that the test suite breakage happened before the addition of the patch for this issue. He also pushed it to the build system. Advisory: ======================== Updated sqlite3 packages fix security vulnerability: In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c (CVE-2018-8740). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8740 http://openwall.com/lists/oss-security/2018/03/17/1 ======================== Updated packages in core/updates_testing: ======================== libsqlite3_0-3.10.2-1.2.mga5 libsqlite3-devel-3.10.2-1.2.mga5 libsqlite3-static-devel-3.10.2-1.2.mga5 sqlite3-tools-3.10.2-1.2.mga5 lemon-3.10.2-1.2.mga5 sqlite3-tcl-3.10.2-1.2.mga5 libsqlite3_0-3.17.0-2.2.mga6 libsqlite3-devel-3.17.0-2.2.mga6 libsqlite3-static-devel-3.17.0-2.2.mga6 sqlite3-tools-3.17.0-2.2.mga6 lemon-3.17.0-2.2.mga6 sqlite3-tcl-3.17.0-2.2.mga6 from SRPMS: sqlite3-3.10.2-1.2.mga5.src.rpm sqlite3-3.17.0-2.2.mga6.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
MGA5-32 on Dell Latitude D600 No installation issues Testing as per bug 21200 Comment 9, getting same results. Also tested .help function, all OK.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
MGA6-32 on Dell Latitude D600 No installation issues. Confirm same results as above Comment 7.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK
Many thanks Herman for both release tests. Validating, advisoried. The CVE leads to a PoC: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349 but it uses a test database 'gdal_ossfuzz_6964.db' which I could not find; and valgrind.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0181.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED