Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Control: tags -1 + confirmed On Wed, 2023-06-14 at 00:01 +0200, Pierre Gruet wrote: > Grave bug #1036706 has been filled a few days before the release of > Bookworm. > This is a security bug associated to CVE-2023-32697. Please go ahead. Regards, Adam
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Salvatore, Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit : Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: [...] diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Thanks for looking at my diff. I admit I had not considered closing the bug here since it has already been declared as closed by the upload to unstable, I would have issued a BTS command after this proposal hits bookworm. Anyway, thanks for educating me on this. Enclosed is the new source debdiff, everything else in the original message of this bug thread remains unchanged. Regards, Salvatore Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,10 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm, +Closes: #1036706) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch OpenPGP_signature Description: OpenPGP digital signature
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org > Control: affects -1 + src:xerial-sqlite-jdbc > > Dear Release team, > > I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. > > [ Reason ] > Grave bug #1036706 has been filled a few days before the release of Bookworm. > This is a security bug associated to CVE-2023-32697. Although it has been > marked no-dsa by the security team, we exchanged a few emails and our > conclusion was the fix of this bug, which amounts to cherry-pick one commit of > upstream, should land in Bookworm during a point release. > > [ Impact ] > CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the > package are mainly used in a single-user environment, but possibly it is also > used in a network environment by some users for their own programs, and this > is > where there might be some hazard. > > [ Tests ] > The package was built in a Bookworm chroot and its autopkgtest is passing. > > [ Risks ] > Code is very simple, only 2 lines are changed. Upstream has published it > three weeks ago and it has issued new upstream versions since then. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, > which uses a random UUID instead of the hash of some fixed address in order to > define the DB file name. > > > > Thanks for your help, > > Best, > > -- > Pierre > diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 > 14:24:45.0 +0100 > +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 > 23:19:59.0 +0200 > @@ -1,3 +1,9 @@ > +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium > + > + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) > + > + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Regards, Salvatore
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org Control: affects -1 + src:xerial-sqlite-jdbc Dear Release team, I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. [ Reason ] Grave bug #1036706 has been filled a few days before the release of Bookworm. This is a security bug associated to CVE-2023-32697. Although it has been marked no-dsa by the security team, we exchanged a few emails and our conclusion was the fix of this bug, which amounts to cherry-pick one commit of upstream, should land in Bookworm during a point release. [ Impact ] CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the package are mainly used in a single-user environment, but possibly it is also used in a network environment by some users for their own programs, and this is where there might be some hazard. [ Tests ] The package was built in a Bookworm chroot and its autopkgtest is passing. [ Risks ] Code is very simple, only 2 lines are changed. Upstream has published it three weeks ago and it has issued new upstream versions since then. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, which uses a random UUID instead of the hash of some fixed address in order to define the DB file name. Thanks for your help, Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch