Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Control: tags -1 + confirmed On Wed, 2023-06-14 at 00:01 +0200, Pierre Gruet wrote: > Grave bug #1036706 has been filled a few days before the release of > Bookworm. > This is a security bug associated to CVE-2023-32697. Please go ahead. Regards, Adam
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Salvatore,
Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit :
Hi Pierre,
On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
[...]
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04
14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13
23:19:59.0 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
Can you as well add the Debian bug closer for #1036706 here?
Thanks for looking at my diff. I admit I had not considered closing the
bug here since it has already been declared as closed by the upload to
unstable, I would have issued a BTS command after this proposal hits
bookworm.
Anyway, thanks for educating me on this.
Enclosed is the new source debdiff, everything else in the original
message of this bug thread remains unchanged.
Regards,
Salvatore
Best,
--
Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200
@@ -1,3 +1,10 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm,
+Closes: #1036706)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
+
xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
* New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+
+ String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200
@@ -7,3 +7,4 @@
skip_OSInfoTest.patch
tests_without_archunit-junit5_and_some_assertions.patch
junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch
OpenPGP_signature
Description: OpenPGP digital signature
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org > Control: affects -1 + src:xerial-sqlite-jdbc > > Dear Release team, > > I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. > > [ Reason ] > Grave bug #1036706 has been filled a few days before the release of Bookworm. > This is a security bug associated to CVE-2023-32697. Although it has been > marked no-dsa by the security team, we exchanged a few emails and our > conclusion was the fix of this bug, which amounts to cherry-pick one commit of > upstream, should land in Bookworm during a point release. > > [ Impact ] > CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the > package are mainly used in a single-user environment, but possibly it is also > used in a network environment by some users for their own programs, and this > is > where there might be some hazard. > > [ Tests ] > The package was built in a Bookworm chroot and its autopkgtest is passing. > > [ Risks ] > Code is very simple, only 2 lines are changed. Upstream has published it > three weeks ago and it has issued new upstream versions since then. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, > which uses a random UUID instead of the hash of some fixed address in order to > define the DB file name. > > > > Thanks for your help, > > Best, > > -- > Pierre > diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 > 14:24:45.0 +0100 > +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 > 23:19:59.0 +0200 > @@ -1,3 +1,9 @@ > +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium > + > + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) > + > + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Regards, Salvatore
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org
Control: affects -1 + src:xerial-sqlite-jdbc
Dear Release team,
I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
[ Reason ]
Grave bug #1036706 has been filled a few days before the release of Bookworm.
This is a security bug associated to CVE-2023-32697. Although it has been
marked no-dsa by the security team, we exchanged a few emails and our
conclusion was the fix of this bug, which amounts to cherry-pick one commit of
upstream, should land in Bookworm during a point release.
[ Impact ]
CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
package are mainly used in a single-user environment, but possibly it is also
used in a network environment by some users for their own programs, and this is
where there might be some hazard.
[ Tests ]
The package was built in a Bookworm chroot and its autopkgtest is passing.
[ Risks ]
Code is very simple, only 2 lines are changed. Upstream has published it
three weeks ago and it has issued new upstream versions since then.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
which uses a random UUID instead of the hash of some fixed address in order to
define the DB file name.
Thanks for your help,
Best,
--
Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04
14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13
23:19:59.0 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
+
xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
* New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
1970-01-01 01:00:00.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
2023-06-13 23:17:23.0 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet
+Origin: upstream,
https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug:
https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+
+ String tempFolder = new
File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db",
resourceAddr.hashCode());
++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db",
UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02
17:16:53.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13
23:10:58.0 +0200
@@ -7,3 +7,4 @@
skip_OSInfoTest.patch
tests_without_archunit-junit5_and_some_assertions.patch
junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch
