GNU bug report logs - #33751
SQLite "Magellan" vulnerability

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33751 in the body.
You can then email your comments to 33751 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: bug-guix <at> gnu.org
Subject: SQLite "Magellan" vulnerability
Date: Sat, 15 Dec 2018 01:18:30 +0100

[Message part 1 (text/plain, inline)]

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
  Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 

  1 Added function symbol not referenced by debug info:                                             

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.

[0001-gnu-SQLite-Update-to-3.26.0.patch (text/x-patch, attachment)]

[0002-gnu-SQLite-Add-static-output.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 33751 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: 33751 <at> debbugs.gnu.org
Subject: Re: SQLite "Magellan" vulnerability
Date: Sat, 15 Dec 2018 02:51:29 +0100

[Message part 1 (text/plain, inline)]

Marius Bakke <mbakke <at> fastmail.com> writes:

> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>
>   1 Added function symbol not referenced by debug info:                                             
>
>     sqlite3_create_window_function
>
> ...but I have not tested this.  It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a.  Can we start this on
> Berlin concurrently?  Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time?  Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 33751 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 33751 <at> debbugs.gnu.org
Subject: Re: bug#33751: SQLite "Magellan" vulnerability
Date: Sat, 15 Dec 2018 11:47:07 +0100

Marius Bakke <mbakke <at> fastmail.com> writes:

> Marius Bakke <mbakke <at> fastmail.com> writes:
>
>> Hello!
>>
>> There is allegedly a remote code execution bug in all versions of SQLite
>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>>
>> I think it is safe to graft 3.26.0 in-place:
>>
>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>>
>>   1 Added function symbol not referenced by debug info:                                             
>>
>>     sqlite3_create_window_function
>>
>> ...but I have not tested this.  It's difficult to tell which patches to
>> apply without knowing more details of the vulnerability.
>>
>> I am currently building a branch that adds a "static" output for
>> SQLite in order to catch users of libsqlite3.a.  Can we start this on
>> Berlin concurrently?  Patches attached.
>
> Perhaps it's better to start over 'staging' with the new SQLite in the
> mean time?  Hydra didn't get too far yet.
>
> It does not add a lot to the current rebuild count.

Sounds good to me.  Thank you!

-- 
Ricardo

Message #14 received at 33751 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: guix-devel <at> gnu.org, 33751 <at> debbugs.gnu.org
Subject: Re: [SECURITY] Which packages bundle sqlite?
Date: Mon, 17 Dec 2018 14:04:16 -0500

Hi Alex,

This issue is being tracked at <https://bugs.gnu.org/33751>,
so it would be best to send followups regarding this issue to
<33751 <at> debbugs.gnu.org>.

Alex Vong <alexvong1995 <at> gmail.com> writes:

> I also want to know should we graft in this case since updating sqlite
> would cause ~4000s rebuilts.

Yes, it should be grafted.

> Besides, how to deal with packages that
> inherit sqlite when grafting?
> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)

These should be changed to use the 'package/inherit' macro.

Thanks for working on it!

      Mark

Message #19 received at 33751 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 33751 <at> debbugs.gnu.org, alexvong1995 <at> gmail.com
Subject: Re: [SECURITY] Which packages bundle sqlite?
Date: Tue, 18 Dec 2018 11:07:24 +0800

[Message part 1 (text/plain, inline)]

Hi Mark,

Mark H Weaver <mhw <at> netris.org> writes:

> Hi Alex,
>
> This issue is being tracked at <https://bugs.gnu.org/33751>,
> so it would be best to send followups regarding this issue to
> <33751 <at> debbugs.gnu.org>.
>
Thanks for pointing me to the right place. I checked guix-patches but
not guix...

> Alex Vong <alexvong1995 <at> gmail.com> writes:
>
>> I also want to know should we graft in this case since updating sqlite
>> would cause ~4000s rebuilts.
>
> Yes, it should be grafted.
>
>> Besides, how to deal with packages that
>> inherit sqlite when grafting?
>> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)
>
> These should be changed to use the 'package/inherit' macro.
>
I sent the patch to
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783>.

> Thanks for working on it!
>
>       Mark

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 33751-done <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: 33751-done <at> debbugs.gnu.org
Cc: alexvong1995 <at> gmail.com
Subject: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH]
 gnu: sqlite: Replace with 3.26.0 [security fixes].)
Date: Wed, 26 Dec 2018 02:11:28 +0800

[Message part 1 (text/plain, inline)]

Closing as patch was appied

[Message part 2 (message/rfc822, inline)]

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Alex Vong <alexvong1995 <at> gmail.com>
Subject: bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace
 with 3.26.0 [security fixes].)
Date: Mon, 24 Dec 2018 09:36:02 +0000

[Message part 3 (text/plain, inline)]

Your bug report

#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 33783 <at> debbugs.gnu.org.

-- 
33783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 4 (message/rfc822, inline)]

From: Efraim Flashner <efraim <at> flashner.co.il>
To: 33783-done <at> debbugs.gnu.org
Subject: Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security
 fixes].
Date: Mon, 24 Dec 2018 11:35:36 +0200

[Message part 5 (text/plain, inline)]

Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

[Message part 7 (message/rfc822, inline)]

From: Alex Vong <alexvong1995 <at> gmail.com>
To: guix-patches <at> gnu.org
Cc: alexvong1995 <at> gmail.com
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].
Date: Tue, 18 Dec 2018 10:53:19 +0800

[Message part 8 (text/plain, inline)]

Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See <https://bugs.gnu.org/33751> for details.

[0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patch (text/x-diff, inline)]

From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Fixes <https://bugs.gnu.org/33751>.
Reported by Marius Bakke <mbakke <at> fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
 gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano <at> gmail.com>
 ;;; Copyright © 2017 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me <at> tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995 <at> gmail.com>
 ;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben <at> gmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling <at> mykolab.com>
 ;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois <at> gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
+   (replacement sqlite-3.26.0)
    (version "3.24.0")
    (source (origin
             (method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite-3.26.0
+  (package/inherit sqlite
+    (version "3.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
 ;; This is used by Tracker.
 (define-public sqlite-with-fts5
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-fts5")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
 
 ;; This is used by Qt.
 (define-public sqlite-with-column-metadata
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-column-metadata")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
-- 
2.19.2

[Message part 10 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.