32018 – sqlite new security issues CVE-2016-6153 and CVE-2018-8740

Bug 32018 - sqlite new security issues CVE-2016-6153 and CVE-2018-8740

Summary: sqlite new security issues CVE-2016-6153 and CVE-2018-8740

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-06-15 23:41 CEST by David Walser
Modified:	2023-06-28 07:23 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	sqlite-2.8.17-27.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-15 23:41:36 CEST

Debian-LTS has issued an advisory on May 22:
https://www.debian.org/lts/security/2023/dla-3431

We fixed these issues in sqlite3 in Bug 18869 and Bug 22792 years ago.

Do we still need to be carrying around this old package?

Mageia 8 is also affected.

David Walser 2023-06-15 23:42:18 CEST

Blocks: (none) => 30163
Status comment: (none) => Patches available from Debian
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-06-16 05:51:07 CEST

Done for both Cauldron and mga8!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-06-16 15:54:53 CEST

Thanks.  What about removing it from Cauldron?  It doesn't look like much depends on it, and it doesn't appear to be anything important.


Mageia 8 update:
libsqlite0-devel-2.8.17-26.1.mga8
libsqlite0-2.8.17-26.1.mga8
sqlite-tools-2.8.17-26.1.mga8
libsqlite0-static-devel-2.8.17-26.1.mga8

from sqlite-2.8.17-26.1.mga8.src.rpm

Status comment: Patches available from Debian => Possibly could be dropped in Cauldron

Comment 3 Lewis Smith 2023-06-16 20:36:24 CEST

(In reply to David GEIGER from comment #1)
> Done for both Cauldron and mga8!
Brilliant. You need to be the assignee, though.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 4 Dave Hodgins 2023-06-16 21:47:58 CEST

# urpmq --whatrequires-recursive lib64sqlite0|sort -u
gambas3-gb-db-sqlite2
javasqlite
lib64sqlite0
lib64sqlite0-devel
lib64sqlite0-static-devel
libdbi-drivers-dbd-sqlite
opendbx-sqlite
perl-DBD-SQLite2
sqlite-tools
task-gambas3
tilitin

So tilitin "Free Finnish bookkeeping software" is the only Mageia
application that uses it, but the rest may be needed for third party
software and development with gambas3-ide.

CC: (none) => davidwhodgins

Comment 5 David Walser 2023-06-16 21:59:19 CEST

The tilitin package hasn't been updated in 9 years, so it's either unmaintained or dead.  Gambas also has sqlite3 support, so it could be built without sqlite2 support.

Comment 6 Dave Hodgins 2023-06-16 22:32:20 CEST

I just installed and tried tilitin in m9 and it appears to work, though
I can't read the menus. Once nice thing about book keeping software is
that it does not change, unless it includes tax features, which basic
book keeping does not. It's up to the person keeping the books to know
which accounts to set up for taxes, what accounts to credit/debit for
the various transactions, etc.

Comment 7 David Walser 2023-06-16 22:35:59 CEST

CC'ing Jani.  The software upstream hasn't been updated in 10 years and no other distro other than us appears to have it packaged.  Is there other bookkeeping software?

CC: (none) => jani.valimaa

Comment 8 David GEIGER 2023-06-17 06:36:56 CEST

I disabled sqlite support for gambas3, opendbx, libdbi-drivers and javasqlite.

Now we have to drop from repo:

perl-DBD-SQLite2-0.380.0-7.mga9.src.rpm
perl-DBIx-Class-Loader-0.210.0-10.mga9.src.rpm

Comment 9 David GEIGER 2023-06-18 09:02:49 CEST

So nothing depend on sqlite2 anymore!

Comment 10 David GEIGER 2023-06-18 13:13:07 CEST

sqlite now removed, so this bug is fixed for cauldron!

Status comment: Possibly could be dropped in Cauldron => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 11 David GEIGER 2023-06-18 13:15:54 CEST

Assigning to QA,

Packages in 8/Core/Updates_testing:
======================
libsqlite0-2.8.17-26.1.mga8
libsqlite0-devel-2.8.17-26.1.mga8
libsqlite0-static-devel-2.8.17-26.1.mga8
lib64sqlite0-2.8.17-26.1.mga8
lib64sqlite0-devel-2.8.17-26.1.mga8
sqlite-tools-2.8.17-26.1.mga8
lib64sqlite0-static-devel-2.8.17-26.1.mga8

From SRPMS:
sqlite-2.8.17-26.1.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs

David Walser 2023-06-18 20:38:36 CEST

CC: (none) => geiger.david68210

Nicolas Lécureuil 2023-06-19 23:41:09 CEST

Version: 8 => Cauldron
Blocks: 30163 => (none)
CC: (none) => mageia

David Walser 2023-06-19 23:50:18 CEST

Version: Cauldron => 8
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 12 Herman Viaene 2023-06-20 11:23:01 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
As in bug 30660, used sqlitestudio to create a new database and create a new table in it with a PK, not null string, other string without rules. Populated a few rows, all worked OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 13 David Walser 2023-06-20 13:04:52 CEST

sqlitestudio uses sqlite3, not sqlite (sqlite2).  See Comment 4 for the packages that use this.

Whiteboard: MGA8-64-OK => (none)

Comment 14 Herman Viaene 2023-06-20 15:37:34 CEST

@David
You might have to apply a request for a miracle in Lourdes (France), since I checked that I don't have anything sqlite3 installed, just the last 4 packages specified in Comment 11.
And the comments in MCC on SQLstudio reads: "* All SQLite3 and SQLite2 features wrapped within simple GUI"

Comment 15 David Walser 2023-06-20 15:40:35 CEST

It looks like our package is only built with sqlite3 support (and you do have lib64sqlite3_0 installed).

Comment 16 Herman Viaene 2023-06-20 15:50:58 CEST

You're right @@#####. It's a selector that cannot be reset and is very light grey on a slighty darker background. Overlooked it completely.
Well, you'll have to go on without a miracle.....
Continuing the test.

Comment 17 Herman Viaene 2023-06-20 16:02:59 CEST

Installed and run tilitin. As my Finnish is non-existing, I checked a few things in Google Translate, entered two records, closed tilitin and opened it again. And the two records were there, so I dare to guess they have been written to the database.
In view of Dave's comments, giving the OK.

Whiteboard: (none) => MGA8-64-OK

Comment 18 Thomas Andrews 2023-06-20 16:41:40 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-06-27 22:57:53 CEST

Keywords: (none) => advisory

Comment 19 Mageia Robot 2023-06-28 07:23:10 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0208.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.