Google has issued an advisory on February 4: https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html It mentions several issues in sqlite3, which we'll have to track down fixes for. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to Thierry as the recent maintainer, CC Shlomi as the registered one.
CC: (none) => shlomifAssignee: bugsquad => thierry.vignaud
CVE-2019-19880 and CVE-2019-19926 addressed in Bug 26104. Ubuntu has issued an advisory for this today (March 10): https://usn.ubuntu.com/4298-1/ It also adds a few new CVEs.
Summary: sqlite3 new security issues CVE-2019-19880, CVE-2019-1992[356], CVE-2020-6405 => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327
Status comment: (none) => Patches available from Google and Ubuntu
According to https://sqlite.org/forum/forumpost/0e8b920012 «All known security issues are fixed in SQLite 3.31.1.». Can we make this mga issue, mga7-only?
That's a terrible response you got from upstream, and unfortunately it's typical of some projects. CVEs are not a perfect system, but it's what we have, and it's what we all use for tracking security issues. So they're being very (and purposefully) unhelpful. Anyway, they are also incorrect, as at least CVE-2020-9327 affects 3.31.1.
Debian-LTS has issued an advisory on May 5: https://www.debian.org/lts/security/2020/dla-2203 This is new issue also affects Mageia 7 and Cauldron.
Summary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327 => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
It appears everything should be fixed upstream in 3.32.0, which Nicolas just updated Cauldron to.
Debian has issued an advisory today (May 26): https://www.debian.org/lts/security/2020/dla-2221 The issue was fixed upstream after 3.32.0. Mageia 7 is also affected.
Version: 7 => CauldronSummary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655 => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-13434Whiteboard: (none) => MGA7TOO
CVE-2020-13434 fixed in 3.32.1, uploaded by Shlomi for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
There are a handful of other issues fixed in 3.32.0. Fedora has issued an advisory on June 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
Summary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-13434 => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2]
Ubuntu has issued an advisory for some of these issues on June 10: https://usn.ubuntu.com/4394-1/
3.32.3 is out, fixing more security issues: https://www.sqlite.org/releaselog/3_32_3.html
CVE-2020-15358 was fixed in 3.32.3: https://ubuntu.com/security/notices/USN-4438-1
Summary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2] => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-15358
CVE-2020-13871 was fixed in 3.33.0: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BN32AGQPMHZRNM6P6L5GZPETOWTGXOKP/
Summary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-15358 => sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358
Debian-LTS has issued an advisory for some of these issues on August 22: https://www.debian.org/lts/security/2020/dla-2340
RedHat has issued an advisory for some of these issues on November 3: https://access.redhat.com/errata/RHSA-2020:4442
CVE-2019-1992[3-5] are already on mga 7
Summary: sqlite3 new security issues CVE-2019-1992[3-5], CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358 => sqlite3 new security issues CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358
CVE-2019-19959 is already on mga7
Summary: sqlite3 new security issues CVE-2019-19959, CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358 => sqlite3 new security issues CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358
CVE-2019-20218 is already on mga7
Summary: sqlite3 new security issues CVE-2019-20218, CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358 => sqlite3 new security issues CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358
https://security-tracker.debian.org/tracker/CVE-2020-6405 => CVE in Chromium. Fixed already.
Summary: sqlite3 new security issues CVE-2020-6405, CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358 => sqlite3 new security issues CVE-2020-9327, CVE-2020-11655, CVE-2020-1343[45], CVE-2020-1363[0-2], CVE-2020-13871, CVE-2020-15358
fix for CVE-2020-9327 added in SVN.
Fixes CVE-2020-11655, CVE-2020-13434 added in svn.
Fix for CVE-2020-13435 added in svn
Fixes for CVE-2020-1363[0-2] added in svn
from the list, only CVE-2020-13871 is missing now.
Ping Nicolas, any luck with CVE-2020-13871?
I added the upstream patch for CVE-2020-13871. The first patch Nicolas added for CVE-2020-13435 causes a build error: sqlite3.c: In function 'sqlite3WindowRewrite': sqlite3.c:150430:29: error: 'sqlite3WalkerDepthIncrease' undeclared (first use in this function); did you mean 'sqlite3WalReadFrame'? w.xSelectCallback = sqlite3WalkerDepthIncrease; ^~~~~~~~~~~~~~~~~~~~~~~~~~ sqlite3WalReadFrame sqlite3.c:150430:29: note: each undeclared identifier is reported only once for each function it appears in sqlite3.c:150431:30: error: 'sqlite3WalkerDepthDecrease' undeclared (first use in this function); did you mean 'sqlite3WhereGetMask'? w.xSelectCallback2 = sqlite3WalkerDepthDecrease; ^~~~~~~~~~~~~~~~~~~~~~~~~~ sqlite3WhereGetMask make: *** [Makefile:770: sqlite3.lo] Error 1 make: *** Waiting for unfinished jobs....
Ubuntu had a prerequisite patch that fixed the issue in Comment 26. Patched package uploaded for all CVEs in bug title. libsqlite3_0-3.31.1-1.1.mga7 libsqlite3-devel-3.31.1-1.1.mga7 libsqlite3-static-devel-3.31.1-1.1.mga7 sqlite3-tools-3.31.1-1.1.mga7 lemon-3.31.1-1.1.mga7 sqlite3-tcl-3.31.1-1.1.mga7 from sqlite3-3.31.1-1.1.mga7.src.rpm
Status comment: Patches available from Google and Ubuntu => (none)Assignee: thierry.vignaud => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26104 for testing. Installed sqlitestudio alongside and used that to create a new database ans create a new table in it.Populatte a few rows. Saw no impact on the working of Thunderbird or Firefox (added a bppkmark). OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations (CVE-2020-9327). SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled (CVE-2020-11655). SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c (CVE-2020-13434). SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c (CVE-2020-13435). ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature (CVE-2020-13630). SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c (CVE-2020-13631). ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query (CVE-2020-13632). SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late (CVE-2020-13871). In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation (CVE-2020-15358). References: - https://bugs.mageia.org/show_bug.cgi?id=26270 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9327 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11655 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13434 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13435 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13630 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13631 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13632 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13871 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15358 - https://access.redhat.com/errata/RHSA-2020:4442 - https://www.debian.org/lts/security/2020/dla-2340 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BN32AGQPMHZRNM6P6L5GZPETOWTGXOKP/ - https://ubuntu.com/security/notices/USN-4438-1 - https://www.sqlite.org/releaselog/3_32_3.html - https://www.sqlite.org/releaselog/3_32_2.html - https://www.sqlite.org/releaselog/3_32_1.html - https://www.sqlite.org/releaselog/3_32_0.html - https://usn.ubuntu.com/4394-1/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/ - https://www.debian.org/lts/security/2020/dla-2221 ======================== Updated packages in core/updates_testing: ======================== lib(64)sqlite3_0-3.31.1-1.1.mga7 lib(64)sqlite3-devel-3.31.1-1.1.mga7 lib(64)sqlite3-static-devel-3.31.1-1.1.mga7 sqlite3-tools-3.31.1-1.1.mga7 lemon-3.31.1-1.1.mga7 sqlite3-tcl-3.31.1-1.1.mga7 from sqlite3-3.31.1-1.1.mga7.src.rpm
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0303.html
Status: NEW => RESOLVEDResolution: (none) => FIXED