This Google Chrome update from December 10 lists sqlite3 vulnerabilities: https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html The RedHat bugs have links to upstream commits with the fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1781980 https://bugzilla.redhat.com/show_bug.cgi?id=1781997 https://bugzilla.redhat.com/show_bug.cgi?id=1781998 https://bugzilla.redhat.com/show_bug.cgi?id=1781999 https://bugzilla.redhat.com/show_bug.cgi?id=1782000 Mageia 7 is also affected.
Blocks: (none) => 26103, 25801Whiteboard: (none) => MGA7TOO
This SRPM has been nursed by various people, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Blocks: 26103 => (none)
Fixed in Cauldron by Shlomi in sqlite3-3.31.0-1.mga8.
Version: Cauldron => 7Status comment: (none) => Fixed upstream in 3.31.0Whiteboard: MGA7TOO => (none)CC: (none) => shlomif
Done also for mga7 with latest 3.31.0 release!
CC: (none) => geiger.david68210
Thanks David! Does this also fix the issues in Bug 25801? Preliminary advisory below... Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html ======================== Updated packages in core/updates_testing: ======================== libsqlite3_0-3.31.0-1.mga7 libsqlite3-devel-3.31.0-1.mga7 libsqlite3-static-devel-3.31.0-1.mga7 sqlite3-tools-3.31.0-1.mga7 lemon-3.31.0-1.mga7 sqlite3-tcl-3.31.0-1.mga7 from sqlite3-3.31.0-1.mga7.src.rpm
Status comment: Fixed upstream in 3.31.0 => (none)Assignee: pkg-bugs => qa-bugs
(In reply to David Walser from comment #4) > Thanks David! Does this also fix the issues in Bug 25801? > I hope so....
Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service (CVE-2019-16168). It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to mishandles some expressions (CVE-2019-19242). It was discovered that SQLite incorrectly handled certain queries. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-19244). An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244 https://usn.ubuntu.com/4205-1/ https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
It looks like tv added an additional patch for CVE-2019-19880 and CVE-2019-19926 in Cauldron, so we should add it here too.
Keywords: (none) => feedback
Oh nevermind, those CVEs were already fixed in 3.31.0. Adding to the advisory. Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0. It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service (CVE-2019-16168). It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to mishandles some expressions (CVE-2019-19242). It was discovered that SQLite incorrectly handled certain queries. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-19244). exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled (CVE-2019-19880). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880 https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html https://usn.ubuntu.com/4205-1/
Keywords: feedback => (none)
Blocks: (none) => 26138
Bug 26138 (Thunderbird) will not update without the lib64sqlite package. So, I updated these packages, Thunderbird, and bug 26137 (Firefox) all in one operation. All packages installed cleanly. More detailed tests are probably needed, but in so far as Thunderbird uses this, it worked OK.
CC: (none) => andrewsfarm
MGA7-64 Plasma on Lenovo B50 No installation issues, but this caused some 5 or 6 packages, leftover from the dependencies of QGIS, to be removed as these are reported to be dependent on sqlite version 3.28. Installed sqlitestudio alongside and used that to create a new database ans create a new table in it. Will come back for OK, after testing Thundebird and Firefox versions.
CC: (none) => herman.viaene
3.31.1 fixes a couple of regressions, perhaps we should update again...: https://www.sqlite.org/releaselog/3_31_1.html
Yes, it reportedly can break thunderbird, firefox and other mozilla based stuff, so I'd suggest we bump to 3.31.1 and then rebuild both thunderbird and firefox to ensure they still work...
CC: (none) => tmb
OK I updated it. libsqlite3_0-3.31.1-1.mga7 libsqlite3-devel-3.31.1-1.mga7 libsqlite3-static-devel-3.31.1-1.mga7 sqlite3-tools-3.31.1-1.mga7 lemon-3.31.1-1.mga7 sqlite3-tcl-3.31.1-1.mga7 from sqlite3-3.31.1-1.mga7.src.rpm
Hmm. The error message I got when trying to update Thunderbird specified a lib64sqlite3_0 greater than or equal to 3.31.0, so this stuff should install OK along with the already-updated Firefox and Thunderbird on this system. Of course, that doesn't mean those two apps won't be broken. Should I go ahead and install the packages from here and see if they break FF and/or T-bird as they are, or would it be wiser just to wait for rebuilt versions that will be coming anyway and do all at once?
Keywords: (none) => advisory
Thomas, everything is built. You may proceed with testing.
Blocks: (none) => 26137
Repeated test as per Comment 10, looks OK.
Updated packages from all three bugs in one operation, as in Comment 9, except on different hardware. The following 8 packages are going to be installed: - firefox-68.4.2-3.mga7.x86_64 - firefox-en_US-68.4.2-1.mga7.noarch - lib64nss3-3.49.2-1.mga7.x86_64 - lib64sqlite3_0-3.31.1-1.mga7.x86_64 - nss-3.49.2-1.mga7.x86_64 - sqlite3-tools-3.31.1-1.mga7.x86_64 - thunderbird-68.4.2-3.mga7.x86_64 - thunderbird-en_US-68.4.2-1.mga7.noarch Packages installed cleanly, and everything seems to work. Will test on the system I updated in Comment 9 in a few minutes.
The system from Comment 9 seems to be working OK, too.
on mga7-64 kernel-desktop plasma packages installed cleanly: - lib64sqlite3_0-3.31.1-1.mga7.x86_64 - sqlite3-tools-3.31.1-1.mga7.x86_64 no regressions noted firefox and thunderbird updated and run OK This update looks OK for mga7-64.
CC: (none) => jim
OK for me after installing new versions of Firefox and Thundebird.
Whiteboard: (none) => MGA7-64-OK
Time to let these go. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0070.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
I believe this update also addressed: CVE-2019-19603 CVE-2019-19645 as seen in: https://usn.ubuntu.com/4394-1/