Bug#835443: marked as done (jessie-pu: package sqlite3/3.8.7.1-1+deb8u2)

Sat, 17 Sep 2016 05:16:54 -0700 

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #835443,
regarding jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
835443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835443
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi Release Team,

There's a vulnerability in SQLite3 [1] which was fixed in Sid and
Stretch, but not yet in Jessie. Security Team decided it's a minor
issue and doesn't warrant a DSA.

An other issue, a segfault is fixed as well on heavy 'SAVEPOINT'
usage[2][3], which affects Django.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2016-6153
[2] http://bugs.debian.org/835205
[3] https://www.sqlite.org/src/info/c4b9c611
diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog	2016-08-25 16:10:24.000000000 +0000
@@ -1,3 +1,11 @@
+sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
+
+  * Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
+  * Backport fix for segfault following heavy SAVEPOINT usage
+    (closes: #835205).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org>  Thu, 25 Aug 2016 16:10:24 +0000
+
 sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
 
   * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
diff -Nru sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch
--- sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,31 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5423,10 +5423,10 @@ static const char *unixTempFileDir(void)
+     if( zDir==0 ) continue;
+     if( osStat(zDir, &buf) ) continue;
+     if( !S_ISDIR(buf.st_mode) ) continue;
+-    if( osAccess(zDir, 07) ) continue;
+-    break;
++    if( osAccess(zDir, 03) ) continue;
++    return zDir;
+   }
+-  return zDir;
++  return 0;
+ }
+ 
+ /*
+@@ -5446,10 +5446,11 @@ static int unixGetTempname(int nBuf, cha
+   ** using the io-error infrastructure to test that SQLite handles this
+   ** function failing. 
+   */
++  zBuf[0] = 0;
+   SimulateIOError( return SQLITE_IOERR );
+ 
+   zDir = unixTempFileDir();
+-  if( zDir==0 ) zDir = ".";
++  if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH;
+ 
+   /* Check that the output buffer is large enough for the temporary file 
+   ** name. If it is not, return SQLITE_ERROR.
diff -Nru sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch
--- sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,13 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5419,7 +5419,7 @@ static const char *unixTempFileDir(void)
+   azDirs[0] = sqlite3_temp_directory;
+   if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+-  for(i=0; i<sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
++  for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+     if( zDir==0 ) continue;
+     if( osStat(zDir, &buf) ) continue;
+     if( !S_ISDIR(buf.st_mode) ) continue;
diff -Nru sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch
--- sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,35 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5412,19 +5412,23 @@ static const char *unixTempFileDir(void)
+      "/tmp",
+      0        /* List terminator */
+   };
+-  unsigned int i;
++  unsigned int i = 0;
+   struct stat buf;
+   const char *zDir = 0;
+ 
+   azDirs[0] = sqlite3_temp_directory;
+   if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+-  for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+-    if( zDir==0 ) continue;
+-    if( osStat(zDir, &buf) ) continue;
+-    if( !S_ISDIR(buf.st_mode) ) continue;
+-    if( osAccess(zDir, 03) ) continue;
+-    return zDir;
++  while(1){
++    if( zDir!=0
++     && osStat(zDir, &buf)==0
++     && S_ISDIR(buf.st_mode)
++     && osAccess(zDir, 03)==0
++    ){
++      return zDir;
++    }
++    if( i>=sizeof(azDirs)/sizeof(azDirs[0]) ) break;
++    zDir = azDirs[i++];
+   }
+   return 0;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch
--- sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,29 @@
+Index: sqlite3/src/memjournal.c
+==================================================================
+--- sqlite3/src/memjournal.c
++++ sqlite3/src/memjournal.c
+@@ -77,6 +77,7 @@ static int memjrnlRead(
+ 
+   /* SQLite never tries to read past the end of a rollback journal file */
+   assert( iOfst+iAmt<=p->endpoint.iOffset );
++  assert( p->readpoint.iOffset==0 || p->readpoint.pChunk!=0 );
+ 
+   if( p->readpoint.iOffset!=iOfst || iOfst==0 ){
+     sqlite3_int64 iOff = 0;
+@@ -88,6 +89,7 @@ static int memjrnlRead(
+     }
+   }else{
+     pChunk = p->readpoint.pChunk;
++    assert( pChunk!=0 );
+   }
+ 
+   iChunkOffset = (int)(iOfst%JOURNAL_CHUNKSIZE);
+@@ -99,7 +101,7 @@ static int memjrnlRead(
+     nRead -= iSpace;
+     iChunkOffset = 0;
+   } while( nRead>=0 && (pChunk=pChunk->pNext)!=0 && nRead>0 );
+-  p->readpoint.iOffset = iOfst+iAmt;
++  p->readpoint.iOffset = pChunk ? iOfst+iAmt : 0;
+   p->readpoint.pChunk = pChunk;
+ 
+   return SQLITE_OK;
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series	2016-08-25 16:10:24.000000000 +0000
@@ -9,3 +9,7 @@
 40-CVE-2015-3414.patch
 41-CVE-2015-3415.patch
 42-CVE-2015-3416.patch
+45-CVE-2016-6153_part1.patch
+46-CVE-2016-6153_part2.patch
+47-CVE-2016-6153_part3.patch
+50-fix_in-memory_journal.patch

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply via email to