Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: g...@debian.org
A number of security fixes in sqlite, which don't warrant a DSA.
This has been tested on a Buster system (along with validating
included test cases that issues are correctly fixed).
Cheers,
Moritz
diff -Nru sqlite3-3.27.2/debian/changelog sqlite3-3.27.2/debian/changelog
--- sqlite3-3.27.2/debian/changelog 2019-06-01 17:38:52.0 +0200
+++ sqlite3-3.27.2/debian/changelog 2020-10-05 22:53:55.0 +0200
@@ -1,3 +1,18 @@
+sqlite3 (3.27.2-3+deb10u1) buster; urgency=medium
+
+ * CVE-2019-19923
+ * CVE-2019-19925
+ * CVE-2019-19959
+ * CVE-2019-20218
+ * CVE-2020-13434
+ * CVE-2020-13435
+ * CVE-2020-13630
+ * CVE-2020-13632
+ * CVE-2020-15358
+ * CVE-2019-16168
+
+ -- Moritz Mühlenhoff Mon, 05 Oct 2020 22:53:55 +0200
+
sqlite3 (3.27.2-3) unstable; urgency=high
* Backport security related patches:
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch
sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 1970-01-01
01:00:00.0 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 2020-10-05
22:53:55.0 +0200
@@ -0,0 +1,66 @@
+From 725dd72400872da94dcfb6af48128905b93d57fe Mon Sep 17 00:00:00 2001
+From: drh
+Date: Thu, 15 Aug 2019 14:35:45 +
+Subject: [PATCH] Ensure that the optional "sz=N" parameter that can be
+ manually added to the end of an sqlite_stat1 entry does not have an N value
+ that is too small. Ticket [e4598ecbdd18bd82]
+
+FossilOrigin-Name:
98357d8c1263920b33a3648ef9214a63c99728bafa7a8d3dd6a1241b2303fd42
+---
+ src/analyze.c | 4 +++-
+ src/where.c| 1 +
+ test/analyzeC.test | 14 ++
+ 5 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/analyze.c b/src/analyze.c
+index 31fb6f5b5..1904b9be0 100644
+--- a/src/analyze.c
b/src/analyze.c
+@@ -1450,7 +1450,9 @@ static void decodeIntArray(
+ if( sqlite3_strglob("unordered*", z)==0 ){
+ pIndex->bUnordered = 1;
+ }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++int sz = sqlite3Atoi(z+3);
++if( sz<2 ) sz = 2;
++pIndex->szIdxRow = sqlite3LogEst(sz);
+ }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+ pIndex->noSkipScan = 1;
+ }
+diff --git a/src/where.c b/src/where.c
+index 65c92863a..a37a810a2 100644
+--- a/src/where.c
b/src/where.c
+@@ -2670,6 +2670,7 @@ static int whereLoopAddBtreeIndex(
+ ** it to pNew->rRun, which is currently set to the cost of the index
+ ** seek only. Then, if this is a non-covering index, add the cost of
+ ** visiting the rows in the main table. */
++assert( pSrc->pTab->szTabRow>0 );
+ rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+ pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+ if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+diff --git a/test/analyzeC.test b/test/analyzeC.test
+index 02faa9c7e..2a0a89781 100644
+--- a/test/analyzeC.test
b/test/analyzeC.test
+@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
+ SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+
++# 2019-08-15.
++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
++# The sz=N parameter in the sqlite_stat1 table needs to have a value of
++# 2 or more to avoid a division by zero in the query planner.
++#
++do_execsql_test 4.4 {
++ DROP TABLE IF EXISTS t44;
++ CREATE TABLE t44(a PRIMARY KEY);
++ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
++ ANALYZE sqlite_master;
++ SELECT 0 FROM t44 WHERE a IN(1,2,3);
++} {}
++
++
+
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch
sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 1970-01-01
01:00:00.0 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 2020-10-02
16:43:04.0 +0200
@@ -0,0 +1,62 @@
+From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
+From: drh
+Date: Wed, 18 Dec 2019 20:51:58 +
+Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
+ check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
+ query is DISTINCT. Without this fix, if an index scan is run on the table
+ within the view on the right-hand side of the LEFT JOIN, stale result
+ registers might be accessed yielding incorrect results, and/or an
+ OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
+ NULL-pointer dereference. This problem was found by the Yongheng and Rui
+ fuzzer.
+
+FossilOrigin-Name:
862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
+---
+ src/select.c | 8 ++--
+ test/join.test |
Bug#966426: (some kind of) transition: add python3.9 as a supported python3 version
status update: https://lists.debian.org/debian-python/2020/10/msg00033.html
Bug#971685: buster-pu: package fish/3.0.2-2+deb10u1
Hi, On Mon, 12 Oct 2020 18:36:04 +0800 Wang Shanker wrote: > Control: tags -1 - moreinfo > Control: fixed 970777 fish/3.1.0-1 > > As far as I know, this issue was fixed by upstream since 3.1.0 I can confirm that the bug has been fixed in v3.1.0. Current packages in Testing/Sid are of version 3.1.2. The metadata for bug 970777 has been updated to reflect this information. Thanks, Boyuan Yang > On Sat, 10 Oct 2020 09:33:40 +0100 "Adam D. Barratt" < a...@adam-barratt.org.uk> wrote: > > Control: tags -1 + moreinfo > > > > On Sun, 2020-10-04 at 19:53 -0400, Boyuan Yang wrote: > > > I am working on solving https://bugs.debian.org/970777 , a bug that > > > made package fish in Debian 10 unusable with sudo in terminal. The > > > patch comes from upstream trunk. > > > > The metadata for that bug indicates that it is affects the package in > > unstable and is not yet fixed there - is that correct? If so, then the > > fix needs to be in unstable before we can consider it for a stable > > update. If not, please update the metadata to indicate which package > > version the fix was first included in. signature.asc Description: This is a digitally signed message part
Bug#970745: buster-pu: package pdns_4.1.6-3+deb10u1
* Adam D. Barratt [201010 10:28]: > On Tue, 2020-09-22 at 22:22 +0200, Chris Hofstaedtler wrote: > > Maybe it should be pointed out in the stable update notes that > > manual action is needed to remedy CVE-2019-10203 for existing > > installations using postgres. "Manual schema update required for > > PostgreSQL"? > > We could, but I'm not sure how many people actually read the fine print > of the announcement mails, particularly in sections that they expect to > be boilerplate. > > I was wondering if it was worth a d/NEWS entry, although that would > obviously be potentially annoying if it ends up being shown to users > who don't have the relevant binary package installd. Ah, pdns already has per-binary NEWS files - I've added it there. New debdiff attached. Please confirm. Thanks, Chris diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog --- pdns-4.1.6/debian/changelog 2019-06-21 19:07:07.0 + +++ pdns-4.1.6/debian/changelog 2020-10-12 12:42:43.0 + @@ -1,3 +1,13 @@ +pdns (4.1.6-3+deb10u1) buster; urgency=medium + + * Apply upstream patches to fix CVE-2019-10203. +To actually fix this problem in existing installations, the newly +supplied schema file 4.1.10_to_4.1.11.schema.pgsql.sql has to be +manually applied to the backing PostgreSQL database. (Closes: #970729) + * Apply upstream patches to fix CVE-2020-17482 (Closes: #970737) + + -- Chris Hofstaedtler Mon, 12 Oct 2020 12:42:43 + + pdns (4.1.6-3) unstable; urgency=medium * Fix Denial of service via crafted zone records (CVE-2019-10162) diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10203.patch pdns-4.1.6/debian/patches/CVE-2019-10203.patch --- pdns-4.1.6/debian/patches/CVE-2019-10203.patch 1970-01-01 00:00:00.0 + +++ pdns-4.1.6/debian/patches/CVE-2019-10203.patch 2020-10-12 12:42:43.0 + @@ -0,0 +1,54 @@ +From 6b48327a0da913d8eeb1c1a4938d3f22d80f9fb3 Mon Sep 17 00:00:00 2001 +From: Peter van Dijk +Date: Tue, 30 Jul 2019 15:40:09 +0200 +Subject: [PATCH] adjust gpgsql schema for advisory 2019-06 + +--- + modules/gpgsqlbackend/4.1.10_to_4.1.11.schema.pgsql.sql | 1 + + modules/gpgsqlbackend/schema.pgsql.sql | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 modules/gpgsqlbackend/4.1.10_to_4.1.11.schema.pgsql.sql + +diff --git a/modules/gpgsqlbackend/4.1.10_to_4.1.11.schema.pgsql.sql b/modules/gpgsqlbackend/4.1.10_to_4.1.11.schema.pgsql.sql +new file mode 100644 +index 00..b0c2ee1efa +--- /dev/null b/modules/gpgsqlbackend/4.1.10_to_4.1.11.schema.pgsql.sql +@@ -0,0 +1 @@ ++ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END; +diff --git a/modules/gpgsqlbackend/schema.pgsql.sql b/modules/gpgsqlbackend/schema.pgsql.sql +index b105d87951..cad35d5f19 100644 +--- a/modules/gpgsqlbackend/schema.pgsql.sql b/modules/gpgsqlbackend/schema.pgsql.sql +@@ -4,7 +4,7 @@ CREATE TABLE domains ( + masterVARCHAR(128) DEFAULT NULL, + last_checkINT DEFAULT NULL, + type VARCHAR(6) NOT NULL, +- notified_serial INT DEFAULT NULL, ++ notified_serial BIGINT DEFAULT NULL, + account VARCHAR(40) DEFAULT NULL, + CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) + ); + + +From 15b1f3607691e6b0443696d6edca40cc3a04bbb0 Mon Sep 17 00:00:00 2001 +From: tcely +Date: Sun, 4 Aug 2019 05:12:30 -0400 +Subject: [PATCH] gpgsqlbackend: add missing schema file to Makefile + +--- + modules/gpgsqlbackend/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/gpgsqlbackend/Makefile.am b/modules/gpgsqlbackend/Makefile.am +index 8a820d516b..9e2f271702 100644 +--- a/modules/gpgsqlbackend/Makefile.am b/modules/gpgsqlbackend/Makefile.am +@@ -12,6 +12,7 @@ dist_doc_DATA = \ + schema.pgsql.sql \ + nodnssec-3.x_to_3.4.0_schema.pgsql.sql \ + dnssec-3.x_to_3.4.0_schema.pgsql.sql \ ++ 4.1.10_to_4.1.11.schema.pgsql.sql \ + 3.4.0_to_4.1.0_schema.pgsql.sql + + libgpgsqlbackend_la_SOURCES = \ diff -Nru pdns-4.1.6/debian/patches/CVE-2020-17482.patch pdns-4.1.6/debian/patches/CVE-2020-17482.patch --- pdns-4.1.6/debian/patches/CVE-2020-17482.patch 1970-01-01 00:00:00.0 + +++ pdns-4.1.6/debian/patches/CVE-2020-17482.patch 2020-10-12 12:42:43.0 + @@ -0,0 +1,153 @@ +From 3b88cb8c8cdd166b566ef7bd87f47732b2783f6a Mon Sep 17 00:00:00 2001 +From: Remi Gacogne +Date: Tue, 11 Aug 2020 11:25:06 +0200 +Subject: [PATCH 1/2] Raise an exception on invalid hex content in unknown + records + +Otherwise we can end up reading uninitialised memory from the stack, +possibly leaking information. +This is only an issue if the content is read from an untrusted source +and can be passed back to an attacker. +--- + pdns/dnsparser.cc | 24 + pdns/test-dnsrecords_cc.cc | 32
Processed: Re: Bug#971685: buster-pu: package fish/3.0.2-2+deb10u1
Processing control commands: > tags -1 - moreinfo Bug #971685 [release.debian.org] buster-pu: package fish/3.0.2-2+deb10u1 Removed tag(s) moreinfo. > fixed 970777 fish/3.1.0-1 Bug #970777 [fish] fish: tty settings are not resetted on exit Marked as fixed in versions fish/3.1.0-1. -- 970777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970777 971685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#971685: buster-pu: package fish/3.0.2-2+deb10u1
Control: tags -1 - moreinfo Control: fixed 970777 fish/3.1.0-1 As far as I know, this issue was fixed by upstream since 3.1.0 Cheers, Miao Wang On Sat, 10 Oct 2020 09:33:40 +0100 "Adam D. Barratt" wrote: > Control: tags -1 + moreinfo > > On Sun, 2020-10-04 at 19:53 -0400, Boyuan Yang wrote: > > I am working on solving https://bugs.debian.org/970777 , a bug that > > made package fish in Debian 10 unusable with sudo in terminal. The > > patch comes from upstream trunk. > > The metadata for that bug indicates that it is affects the package in > unstable and is not yet fixed there - is that correct? If so, then the > fix needs to be in unstable before we can consider it for a stable > update. If not, please update the metadata to indicate which package > version the fix was first included in. > > Regards, > > Adam > > >
Bug#971415: transition: ocaml
Control: tags -1 + confirmed On 2020-10-12 09:50:08, Stéphane Glondu wrote: > Le 10/10/2020 à 17:58, Sebastian Ramacher a écrit : > >> I tried to install all corresponding opam packages in a 4.11.1 switch, > >> and the breakage is minimal. > > > > Have bugs been filed for the these issues or are you taking care of > > that? > > I will take care of filing bugs and/or fixing issues. And as usual, I > will also take care of binNMUs. Great, please go ahead. Cheers > > > Cheers, > > -- > Stéphane > -- Sebastian Ramacher
Processed: Re: Bug#971415: transition: ocaml
Processing control commands: > tags -1 + confirmed Bug #971415 [release.debian.org] transition: ocaml Added tag(s) confirmed. -- 971415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971415 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#971415: transition: ocaml
Le 10/10/2020 à 17:58, Sebastian Ramacher a écrit : >> I tried to install all corresponding opam packages in a 4.11.1 switch, >> and the breakage is minimal. > > Have bugs been filed for the these issues or are you taking care of > that? I will take care of filing bugs and/or fixing issues. And as usual, I will also take care of binNMUs. Cheers, -- Stéphane
Bug#971347: transition: mumps
Hi Drew On Mon, 12 Oct 2020 at 04:42, Drew Parsons wrote: > I think petsc 3.13.6+dfsg1-1 needs to be marked again for binNMU > "Rebuild against MUMPS 5.3.3" on armel, mipsel (i.e. versioned binNMU). Scheduled, thanks. Regards Graham
