Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #835443,
regarding jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
835443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835443
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi Release Team,
There's a vulnerability in SQLite3 [1] which was fixed in Sid and
Stretch, but not yet in Jessie. Security Team decided it's a minor
issue and doesn't warrant a DSA.
An other issue, a segfault is fixed as well on heavy 'SAVEPOINT'
usage[2][3], which affects Django.
Proposed patch is attached.
Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2016-6153
[2] http://bugs.debian.org/835205
[3] https://www.sqlite.org/src/info/c4b9c611
diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog 2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog 2016-08-25 16:10:24.000000000 +0000
@@ -1,3 +1,11 @@
+sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
+
+ * Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
+ * Backport fix for segfault following heavy SAVEPOINT usage
+ (closes: #835205).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Thu, 25 Aug 2016 16:10:24 +0000
+
sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
* Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
diff -Nru sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch
--- sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch 2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,31 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5423,10 +5423,10 @@ static const char *unixTempFileDir(void)
+ if( zDir==0 ) continue;
+ if( osStat(zDir, &buf) ) continue;
+ if( !S_ISDIR(buf.st_mode) ) continue;
+- if( osAccess(zDir, 07) ) continue;
+- break;
++ if( osAccess(zDir, 03) ) continue;
++ return zDir;
+ }
+- return zDir;
++ return 0;
+ }
+
+ /*
+@@ -5446,10 +5446,11 @@ static int unixGetTempname(int nBuf, cha
+ ** using the io-error infrastructure to test that SQLite handles this
+ ** function failing.
+ */
++ zBuf[0] = 0;
+ SimulateIOError( return SQLITE_IOERR );
+
+ zDir = unixTempFileDir();
+- if( zDir==0 ) zDir = ".";
++ if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH;
+
+ /* Check that the output buffer is large enough for the temporary file
+ ** name. If it is not, return SQLITE_ERROR.
diff -Nru sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch
--- sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch 2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,13 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5419,7 +5419,7 @@ static const char *unixTempFileDir(void)
+ azDirs[0] = sqlite3_temp_directory;
+ if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+ if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+- for(i=0; i<sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
++ for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+ if( zDir==0 ) continue;
+ if( osStat(zDir, &buf) ) continue;
+ if( !S_ISDIR(buf.st_mode) ) continue;
diff -Nru sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch
--- sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch 2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,35 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5412,19 +5412,23 @@ static const char *unixTempFileDir(void)
+ "/tmp",
+ 0 /* List terminator */
+ };
+- unsigned int i;
++ unsigned int i = 0;
+ struct stat buf;
+ const char *zDir = 0;
+
+ azDirs[0] = sqlite3_temp_directory;
+ if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+ if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+- for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+- if( zDir==0 ) continue;
+- if( osStat(zDir, &buf) ) continue;
+- if( !S_ISDIR(buf.st_mode) ) continue;
+- if( osAccess(zDir, 03) ) continue;
+- return zDir;
++ while(1){
++ if( zDir!=0
++ && osStat(zDir, &buf)==0
++ && S_ISDIR(buf.st_mode)
++ && osAccess(zDir, 03)==0
++ ){
++ return zDir;
++ }
++ if( i>=sizeof(azDirs)/sizeof(azDirs[0]) ) break;
++ zDir = azDirs[i++];
+ }
+ return 0;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch
--- sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch 2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,29 @@
+Index: sqlite3/src/memjournal.c
+==================================================================
+--- sqlite3/src/memjournal.c
++++ sqlite3/src/memjournal.c
+@@ -77,6 +77,7 @@ static int memjrnlRead(
+
+ /* SQLite never tries to read past the end of a rollback journal file */
+ assert( iOfst+iAmt<=p->endpoint.iOffset );
++ assert( p->readpoint.iOffset==0 || p->readpoint.pChunk!=0 );
+
+ if( p->readpoint.iOffset!=iOfst || iOfst==0 ){
+ sqlite3_int64 iOff = 0;
+@@ -88,6 +89,7 @@ static int memjrnlRead(
+ }
+ }else{
+ pChunk = p->readpoint.pChunk;
++ assert( pChunk!=0 );
+ }
+
+ iChunkOffset = (int)(iOfst%JOURNAL_CHUNKSIZE);
+@@ -99,7 +101,7 @@ static int memjrnlRead(
+ nRead -= iSpace;
+ iChunkOffset = 0;
+ } while( nRead>=0 && (pChunk=pChunk->pNext)!=0 && nRead>0 );
+- p->readpoint.iOffset = iOfst+iAmt;
++ p->readpoint.iOffset = pChunk ? iOfst+iAmt : 0;
+ p->readpoint.pChunk = pChunk;
+
+ return SQLITE_OK;
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series 2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series 2016-08-25 16:10:24.000000000 +0000
@@ -9,3 +9,7 @@
40-CVE-2015-3414.patch
41-CVE-2015-3415.patch
42-CVE-2015-3416.patch
+45-CVE-2016-6153_part1.patch
+46-CVE-2016-6153_part2.patch
+47-CVE-2016-6153_part3.patch
+50-fix_in-memory_journal.patch
--- End Message ---
--- Begin Message ---
Version: 8.6
The updates referred to in each of these bugs were included in today's
stable point release.
Regards,
Adam
--- End Message ---