unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org>
To: 47231@debbugs.gnu.org
Subject: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 18 Mar 2021 12:42:43 +0100	[thread overview]
Message-ID: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 674 bytes --]

According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo

[-- Attachment #1.2: 0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch --]
[-- Type: text/x-patch, Size: 2166 bytes --]

From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Thu, 18 Mar 2021 07:09:10 +0100
Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].

* gnu/packages/sqlite.scm (sqlite/fixed): New variable.
(sqlite)[replacement]: Graft.
---
 gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
index eeb77749d8..cc378b359a 100644
--- a/gnu/packages/sqlite.scm
+++ b/gnu/packages/sqlite.scm
@@ -65,6 +65,7 @@
             (sha256
              (base32
               "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
+   (replacement sqlite/fixed)
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (native-inputs (if (hurd-target?)
@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite/fixed
+  (package/inherit sqlite
+    (version "3.32.3")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2020/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))
+
 ;; Column metadata support was added to the regular 'sqlite' package with
 ;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7.
 (define-public sqlite-with-column-metadata
-- 
2.31.0


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

             reply	other threads:[~2021-03-18 11:43 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-18 11:42 Léo Le Bouter via Bug reports for GNU Guix [this message]
2021-03-23 23:37 ` bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-25 15:56       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-26  1:23 ` Mark H Weaver
2021-03-26  1:36   ` Léo Le Bouter via Bug reports for GNU Guix

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net \
    --to=bug-guix@gnu.org \
    --cc=47231@debbugs.gnu.org \
    --cc=lle-bout@zaclys.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).