29490 – sqlite3 new security issue CVE-2021-30569

Bug 29490 - sqlite3 new security issue CVE-2021-30569

Summary: sqlite3 new security issue CVE-2021-30569

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-09-25 23:03 CEST by David Walser
Modified:	2021-10-04 18:43 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	sqlite3-3.34.1-1.mga8.src.rpm
CVE:	CVE-2021-30569
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-09-25 23:03:58 CEST

Google has released Chrome version 92.0.4515.107 on July 20:
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html

It fixes a security issue in sqlite3.

Nicolas tracked down the issue, which was fixed upstream in 3.36.0:
https://bugs.mageia.org/show_bug.cgi?id=28732#c30

"Regarding CVE-2021-30569 in sqlite3, I found this link: https://codereview.qt.nokia.com/c/qt/qtwebengine-chromium/+/367015
which is a backport of:
https://chromium.googlesource.com/chromium/deps/sqlite.git/+/09b4d6e90623cea239af64d3ba4dd9327ce99f23
which finally refers to:
https://sqlite.org/src/info/45f459d2fa4be97d
"

David Walser 2021-09-25 23:04:12 CEST

Status comment: (none) => Fixed upstream in 3.36.0

Comment 1 Marja Van Waes 2021-09-25 23:39:07 CEST

And another one that "Nobody" maintains

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-27 10:14:19 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30569)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30569
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html
========================

Updated packages in core/updates_testing:
========================
lemon-3.34.1-1.1.mga8
sqlite3-tcl-3.34.1-1.1.mga8
sqlite3-tools-3.34.1-1.1.mga8
lib(64)sqlite3_0-3.34.1-1.1.mga8
lib(64)sqlite3-devel-3.34.1-1.1.mga8
lib(64)sqlite3-static-devel-3.34.1-1.1.mga8

from SRPM:
sqlite3-3.34.1-1.1.mga8.src.rpm

CVE: (none) => CVE-2021-30569
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 3.36.0 => (none)
CC: (none) => nicolas.salguero

Comment 3 Brian Rockwell 2021-10-02 22:34:24 CEST

MGA8-64,Mate, VM


The following 9 packages are going to be installed:

- cpupower-5.10.70-1.mga8.x86_64
- glibc-2.32-20.mga8.x86_64
- glibc-devel-2.32-20.mga8.x86_64
- kernel-desktop-5.10.70-1.mga8-1-1.mga8.x86_64
- kernel-desktop-latest-5.10.70-1.mga8.x86_64
- lemon-3.34.1-1.mga8.x86_64
- lib64sqlite3_0-3.34.1-1.1.mga8.x86_64
- sqlite3-tcl-3.34.1-1.1.mga8.x86_64
- sqlite3-tools-3.34.1-1.1.mga8.x86_64

75MB of additional disk space will be used.

-- rebooted VM

Installed Nextcloud server and configured to use sqlite

- NextCloud completed initial install.
- added photos, etc. to Nextcloud.  All of this working as designed.

I consider this a heavy hitting test of SQLite.

CC: (none) => brtians1
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-10-03 22:06:28 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-10-04 18:15:49 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-10-04 18:43:36 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0458.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.