Bug 24750 - sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937
Summary: sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25359
  Show dependency treegraph
 
Reported: 2019-05-03 20:35 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
5 users (show)

See Also:
Source RPM: sqlite3-3.25.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-05-03 20:35:09 CEST
SUSE has issued an advisory on May 2:
http://lists.suse.com/pipermail/sle-security-updates/2019-May/005419.html

The issues are fixed upstream in 3.28.0.
Comment 1 Marja Van Waes 2019-05-03 21:11:04 CEST
Assigning to our registered sqlite3 maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2019-08-11 22:07:05 CEST
Ubuntu advisory from June 3, with another issue fixed in sqlite3 3.28.0:
https://usn.ubuntu.com/4004-1/

Summary: sqlite3 new security issues CVE-2019-9936 and CVE-2019-9937 => sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937

Comment 3 David Walser 2019-08-11 22:55:07 CEST
Ubuntu advisory for the sqlite3 package itself from June 19:
https://usn.ubuntu.com/4019-1/
Comment 4 David Walser 2019-08-12 15:35:52 CEST
Updated package uploaded by Shlomi.

Advisory:
========================

Updated sqlite3 packages fix security vulnerabilities:

It was discovered that SQLite incorrectly handled certain inputs. An attacker
could possibly use this issue to access sensitive information (CVE-2019-8457).

It was discovered that SQLite incorrectly handled certain queries. An attacker
could possibly use this issue to access sensitive information (CVE-2019-9936).

It was discovered that SQLite incorrectly handled certain inputs. An attacker
could possibly use this issue to cause a crash or execute arbitrary code
(CVE-2019-9937).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937
https://usn.ubuntu.com/4019-1/
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.28.0-1.mga6
libsqlite3-devel-3.28.0-1.mga6
libsqlite3-static-devel-3.28.0-1.mga6
sqlite3-tools-3.28.0-1.mga6
lemon-3.28.0-1.mga6
sqlite3-tcl-3.28.0-1.mga6

from sqlite3-3.28.0-1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

James Kerr 2019-09-01 14:21:18 CEST

Blocks: (none) => 25359

Comment 5 James Kerr 2019-09-03 22:29:42 CEST
on mga6-64

packages installed cleanly:
sqlite3-tools-3.28.0-1.mga6.x86_64   
lib64sqlite3_0-3.28.0-1.mga6.x86_64   

Using the test file and following the procedure
in bug 21200

$ sqlite3 testlite.db
SQLite version 3.28.0 2019-04-16 19:49:53
Enter ".help" for usage hints.
sqlite> .databases
main: /home/jim/testlite.db
sqlite> .tables
sqlite> .quit
$ sqlite3 testlite.db < create.sql
$ sqlite3 testlite.db
SQLite version 3.28.0 2019-04-16 19:49:53
Enter ".help" for usage hints.
sqlite> select * from events;
2019-09-02 14:19:41|First test event
2019-09-02 14:19:41|Second test event
sqlite> .quit

looks OK for mga6-64

Whiteboard: (none) => MGA6-64-OK
CC: (none) => jim

Comment 6 James Kerr 2019-09-03 22:44:11 CEST
On mga6-32  in a vbox VM

packages installed cleanly:
sqlite3-tools-3.28.0-1.mga6.i586 
libsqlite3_0-3.28.0-1.mga6.i586  

Using the test file and following the procedure
in bug 21200

$ sqlite3 testlite.db
SQLite version 3.28.0 2019-04-16 19:49:53
Enter ".help" for usage hints.
sqlite> .databases
main: /home/jim/testlite.db
sqlite> .tables
sqlite> .quit
$ sqlite3 testlite.db < create.sql
$ sqlite3 testlite.db
SQLite version 3.28.0 2019-04-16 19:49:53
Enter ".help" for usage hints.
sqlite> select * from events;
2019-09-03 20:38:38|First test event
2019-09-03 20:38:38|Second test event
sqlite> .quit
$ 

OK for ma6-32

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 7 James Kerr 2019-09-03 22:46:59 CEST
Updated validated. Advisory in comment 4 needs to be uploaded.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-09-06 19:37:36 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-09-06 23:11:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0240.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.