From: "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org>
To: 47231@debbugs.gnu.org
Subject: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 18 Mar 2021 12:42:43 +0100 [thread overview]
Message-ID: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 674 bytes --]
According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.
It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).
See: https://bugs.python.org/issue40784
Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.
Attached WIP patch.
Thank you!
Léo
[-- Attachment #1.2: 0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch --]
[-- Type: text/x-patch, Size: 2166 bytes --]
From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Thu, 18 Mar 2021 07:09:10 +0100
Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].
* gnu/packages/sqlite.scm (sqlite/fixed): New variable.
(sqlite)[replacement]: Graft.
---
gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
index eeb77749d8..cc378b359a 100644
--- a/gnu/packages/sqlite.scm
+++ b/gnu/packages/sqlite.scm
@@ -65,6 +65,7 @@
(sha256
(base32
"1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
+ (replacement sqlite/fixed)
(build-system gnu-build-system)
(inputs `(("readline" ,readline)))
(native-inputs (if (hurd-target?)
@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world. The source code for SQLite
is in the public domain.")
(license license:public-domain)))
+(define-public sqlite/fixed
+ (package/inherit sqlite
+ (version "3.32.3")
+ (source (origin
+ (method url-fetch)
+ (uri (let ((numeric-version
+ (match (string-split version #\.)
+ ((first-digit other-digits ...)
+ (string-append first-digit
+ (string-pad-right
+ (string-concatenate
+ (map (cut string-pad <> 2 #\0)
+ other-digits))
+ 6 #\0))))))
+ (string-append "https://sqlite.org/2020/sqlite-autoconf-"
+ numeric-version ".tar.gz")))
+ (sha256
+ (base32
+ "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))
+
;; Column metadata support was added to the regular 'sqlite' package with
;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7.
(define-public sqlite-with-column-metadata
--
2.31.0
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2021-03-18 11:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-18 11:42 Léo Le Bouter via Bug reports for GNU Guix [this message]
2021-03-23 23:37 ` bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
2021-03-24 22:54 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 11:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-25 15:56 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-26 1:23 ` Mark H Weaver
2021-03-26 1:36 ` Léo Le Bouter via Bug reports for GNU Guix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net \
--to=bug-guix@gnu.org \
--cc=47231@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).