Bug 26104 - sqlite3 new security issues CVE-2019-13734 and CVE-2019-1375[0-3]
Summary: sqlite3 new security issues CVE-2019-13734 and CVE-2019-1375[0-3]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25801 26137 26138
  Show dependency treegraph
 
Reported: 2020-01-18 20:27 CET by David Walser
Modified: 2020-06-12 22:26 CEST (History)
7 users (show)

See Also:
Source RPM: sqlite3-3.30.1-3.mga8.src.rpm
CVE:
Status comment:


Attachments

David Walser 2020-01-18 20:27:34 CET

Blocks: (none) => 26103, 25801
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-01-18 21:02:23 CET
This SRPM has been nursed by various people, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

David Walser 2020-01-18 21:03:32 CET

Blocks: 26103 => (none)

Comment 2 David Walser 2020-01-24 13:31:50 CET
Fixed in Cauldron by Shlomi in sqlite3-3.31.0-1.mga8.

Version: Cauldron => 7
Status comment: (none) => Fixed upstream in 3.31.0
Whiteboard: MGA7TOO => (none)
CC: (none) => shlomif

Comment 3 David GEIGER 2020-01-24 18:11:46 CET
Done also for mga7 with latest 3.31.0 release!

CC: (none) => geiger.david68210

Comment 4 David Walser 2020-01-24 18:50:42 CET
Thanks David!  Does this also fix the issues in Bug 25801?

Preliminary advisory below...

Advisory:
========================

Updated sqlite3 packages fix security vulnerabilities:

An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw
(CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds
read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.31.0-1.mga7
libsqlite3-devel-3.31.0-1.mga7
libsqlite3-static-devel-3.31.0-1.mga7
sqlite3-tools-3.31.0-1.mga7
lemon-3.31.0-1.mga7
sqlite3-tcl-3.31.0-1.mga7

from sqlite3-3.31.0-1.mga7.src.rpm

Status comment: Fixed upstream in 3.31.0 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 David GEIGER 2020-01-24 22:22:24 CET
(In reply to David Walser from comment #4)
> Thanks David!  Does this also fix the issues in Bug 25801?
> 


I hope so....
Comment 6 David Walser 2020-01-25 12:55:40 CET
Advisory:
========================

Updated sqlite3 packages fix security vulnerabilities:

It was discovered that SQLite incorrectly handled certain schemas. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-16168).

It was discovered that SQLite incorrectly handled certain schemas. An attacker
could possibly use this issue to mishandles some expressions (CVE-2019-19242).

It was discovered that SQLite incorrectly handled certain queries. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-19244).

An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw
(CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds
read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244
https://usn.ubuntu.com/4205-1/
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
Comment 7 David Walser 2020-01-26 18:44:53 CET
It looks like tv added an additional patch for CVE-2019-19880 and CVE-2019-19926 in Cauldron, so we should add it here too.

Keywords: (none) => feedback

Comment 8 David Walser 2020-01-27 15:49:01 CET
Oh nevermind, those CVEs were already fixed in 3.31.0.  Adding to the advisory.

Advisory:
========================

Updated sqlite3 packages fix security vulnerabilities:

An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw
(CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds
read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0.

It was discovered that SQLite incorrectly handled certain schemas. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-16168).

It was discovered that SQLite incorrectly handled certain schemas. An attacker
could possibly use this issue to mishandles some expressions (CVE-2019-19242).

It was discovered that SQLite incorrectly handled certain queries. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-19244).

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an
invalid pointer dereference because constant integer values in ORDER BY
clauses of window definitions are mishandled (CVE-2019-19880).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
https://usn.ubuntu.com/4205-1/

Keywords: feedback => (none)

Thomas Andrews 2020-01-27 19:11:15 CET

Blocks: (none) => 26138

Comment 9 Thomas Andrews 2020-01-27 20:35:00 CET
Bug 26138 (Thunderbird) will not update without the lib64sqlite package. So, I updated these packages, Thunderbird, and bug 26137 (Firefox) all in one operation.

All packages installed cleanly.  More detailed tests are probably needed, but in so far as Thunderbird uses this, it worked OK.

CC: (none) => andrewsfarm

Comment 10 Herman Viaene 2020-01-28 13:33:18 CET
MGA7-64 Plasma on Lenovo B50
No installation issues, but this caused  some 5 or 6 packages, leftover from the dependencies of QGIS, to be removed as these are reported to be dependent on sqlite version 3.28.
Installed sqlitestudio alongside and used that to create a new database ans create a new table in it.
Will come back for OK, after testing Thundebird and Firefox versions.

CC: (none) => herman.viaene

Comment 11 David Walser 2020-01-28 14:03:29 CET
3.31.1 fixes a couple of regressions, perhaps we should update again...:
https://www.sqlite.org/releaselog/3_31_1.html
Comment 12 Thomas Backlund 2020-01-28 14:16:30 CET
Yes,

it reportedly can break thunderbird, firefox and other mozilla based stuff, so I'd suggest we bump to 3.31.1 and then rebuild both thunderbird and firefox to ensure they still work...

CC: (none) => tmb

Comment 13 David Walser 2020-01-28 14:31:39 CET
OK I updated it.

libsqlite3_0-3.31.1-1.mga7
libsqlite3-devel-3.31.1-1.mga7
libsqlite3-static-devel-3.31.1-1.mga7
sqlite3-tools-3.31.1-1.mga7
lemon-3.31.1-1.mga7
sqlite3-tcl-3.31.1-1.mga7

from sqlite3-3.31.1-1.mga7.src.rpm
Comment 14 Thomas Andrews 2020-01-28 15:32:19 CET
Hmm. The error message I got when trying to update Thunderbird specified a lib64sqlite3_0 greater than or equal to 3.31.0, so this stuff should install OK along with the already-updated Firefox and Thunderbird on this system. Of course, that doesn't mean those two apps won't be broken.

Should I go ahead and install the packages from here and see if they break FF and/or T-bird as they are, or would it be wiser just to wait for rebuilt versions that will be coming anyway and do all at once?
Thomas Backlund 2020-01-28 19:52:22 CET

Keywords: (none) => advisory

Comment 15 David Walser 2020-01-28 21:11:56 CET
Thomas, everything is built.  You may proceed with testing.
Nicolas Salguero 2020-01-29 09:19:31 CET

Blocks: (none) => 26137

Comment 16 Herman Viaene 2020-01-29 10:16:09 CET
Repeated test as per Comment 10, looks OK.
Comment 17 Thomas Andrews 2020-01-29 13:28:30 CET
Updated packages from all three bugs in one operation, as in Comment 9, except on different hardware.

The following 8 packages are going to be installed:

- firefox-68.4.2-3.mga7.x86_64
- firefox-en_US-68.4.2-1.mga7.noarch
- lib64nss3-3.49.2-1.mga7.x86_64
- lib64sqlite3_0-3.31.1-1.mga7.x86_64
- nss-3.49.2-1.mga7.x86_64
- sqlite3-tools-3.31.1-1.mga7.x86_64
- thunderbird-68.4.2-3.mga7.x86_64
- thunderbird-en_US-68.4.2-1.mga7.noarch

Packages installed cleanly, and everything seems to work. Will test on the system I updated in Comment 9 in a few minutes.
Comment 18 Thomas Andrews 2020-01-29 13:45:56 CET
The system from Comment 9 seems to be working OK, too.
Comment 19 James Kerr 2020-01-29 15:26:39 CET
on mga7-64  kernel-desktop  plasma

packages installed cleanly:
- lib64sqlite3_0-3.31.1-1.mga7.x86_64
- sqlite3-tools-3.31.1-1.mga7.x86_64

no regressions noted

firefox and thunderbird updated and run OK

This update looks OK for mga7-64.

CC: (none) => jim

Comment 20 Herman Viaene 2020-01-30 10:51:13 CET
OK for me after installing new versions of Firefox and Thundebird.

Whiteboard: (none) => MGA7-64-OK

Comment 21 Thomas Andrews 2020-01-30 15:53:53 CET
Time to let these go. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 22 Mageia Robot 2020-01-30 19:29:56 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0070.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 23 David Walser 2020-06-12 22:26:03 CEST
I believe this update also addressed:
CVE-2019-19603
CVE-2019-19645

as seen in:
https://usn.ubuntu.com/4394-1/

Note You need to log in before you can comment on or make changes to this bug.