unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
@ 2021-03-18 11:42 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-26  1:23 ` Mark H Weaver
  0 siblings, 2 replies; 7+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-18 11:42 UTC (permalink / raw)
  To: 47231


[-- Attachment #1.1: Type: text/plain, Size: 674 bytes --]

According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo

[-- Attachment #1.2: 0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch --]
[-- Type: text/x-patch, Size: 2166 bytes --]

From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Thu, 18 Mar 2021 07:09:10 +0100
Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].

* gnu/packages/sqlite.scm (sqlite/fixed): New variable.
(sqlite)[replacement]: Graft.
---
 gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
index eeb77749d8..cc378b359a 100644
--- a/gnu/packages/sqlite.scm
+++ b/gnu/packages/sqlite.scm
@@ -65,6 +65,7 @@
             (sha256
              (base32
               "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
+   (replacement sqlite/fixed)
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (native-inputs (if (hurd-target?)
@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite/fixed
+  (package/inherit sqlite
+    (version "3.32.3")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2020/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))
+
 ;; Column metadata support was added to the regular 'sqlite' package with
 ;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7.
 (define-public sqlite-with-column-metadata
-- 
2.31.0


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-18 11:42 bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-26  1:23 ` Mark H Weaver
  1 sibling, 1 reply; 7+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-23 23:37 UTC (permalink / raw)
  To: 47231

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

One more:

CVE-2021-20227	23.03.21 18:15
A flaw was found in SQLite's SELECT query functionality (src/select.c).
This flaw allows an attacker who is capable of running SQL queries
locally on the SQLite database to cause a denial of service or possible
code execution by triggering a use-after-free. The highest threat from
this vulnerability is to system availability.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 1 reply; 7+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-24 22:54 UTC (permalink / raw)
  To: 47231

[-- Attachment #1: Type: text/plain, Size: 701 bytes --]

I could test the graft with GNU Guix's test suite by manually replacing
the sqlite input with sqlite/fixed like so:

diff --git a/gnu/packages/package-management.scm
b/gnu/packages/package-management.scm
index 888f54322d..70f5c2dad3 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -389,7 +389,7 @@ $(prefix)/etc/init.d\n")))
       (inputs
        `(("bzip2" ,bzip2)
          ("gzip" ,gzip)
-         ("sqlite" ,sqlite)
+         ("sqlite" ,sqlite/fixed)
          ("libgcrypt" ,libgcrypt)
 
          ("guile" ,guile-3.0-latest)

It worked fine.

Is that enough of a test to graft in master?

Let me know and I will push.

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2021-03-25 15:56       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 1 reply; 7+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-03-25 11:27 UTC (permalink / raw)
  To: Léo Le Bouter, Ludovic Courtès; +Cc: 47231

Thanks!

I'm currently rebuilding IceCat with this change as an extra 
precaution, but that shouldn't take long.  If that doesn't cause 
problems this LGTM for master.

Ludo', do you think the Guix test described here is a good one?

Kind regards,

T G-R




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2021-03-25 15:56       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 0 replies; 7+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-03-25 15:56 UTC (permalink / raw)
  Cc: 47231, lle-bout

Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> I'm currently rebuilding IceCat with this change as an extra
> precaution, but that shouldn't take long.  If that doesn't cause 
> problems this LGTM for master.

OK, it worked, old IceCat writes new SQlite files.

Kind regards,

T G-R




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-18 11:42 bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-26  1:23 ` Mark H Weaver
  2021-03-26  1:36   ` Léo Le Bouter via Bug reports for GNU Guix
  1 sibling, 1 reply; 7+ messages in thread
From: Mark H Weaver @ 2021-03-26  1:23 UTC (permalink / raw)
  To: Léo Le Bouter, 47231

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
> Date: Thu, 18 Mar 2021 07:09:10 +0100
> Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].
>
> * gnu/packages/sqlite.scm (sqlite/fixed): New variable.
> (sqlite)[replacement]: Graft.
> ---
>  gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
> index eeb77749d8..cc378b359a 100644
> --- a/gnu/packages/sqlite.scm
> +++ b/gnu/packages/sqlite.scm
> @@ -65,6 +65,7 @@
>              (sha256
>               (base32
>                "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
> +   (replacement sqlite/fixed)
>     (build-system gnu-build-system)
>     (inputs `(("readline" ,readline)))
>     (native-inputs (if (hurd-target?)
> @@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
>  is in the public domain.")
>     (license license:public-domain)))
>  
> +(define-public sqlite/fixed
> +  (package/inherit sqlite

Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' should
*not* use 'package/inherit', since the package you're defining is the
replacement for the package you're inheriting from.

Otherwise, it looks good to me!

     Thanks,
       Mark




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  2021-03-26  1:23 ` Mark H Weaver
@ 2021-03-26  1:36   ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 0 replies; 7+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-26  1:36 UTC (permalink / raw)
  To: Mark H Weaver, 47231-done, Tobias Geerinckx-Rice

[-- Attachment #1: Type: text/plain, Size: 818 bytes --]

On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
> 
> Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'
> should
> *not* use 'package/inherit', since the package you're defining is the
> replacement for the package you're inheriting from.
> 
> Otherwise, it looks good to me!
> 
>      Thanks,
>        Mark

Adapted, wasnt sure what package/inherit was for exactly.

Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> > I'm currently rebuilding IceCat with this change as an extra
> > precaution, but that shouldn't take long.  If that doesn't cause 
> > problems this LGTM for master.
> 
> OK, it worked, old IceCat writes new SQlite files.
> 
> Kind regards,
> 
> T G-R

Thank you both for the review!

Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-03-26  1:37 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-18 11:42 bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-25 15:56       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-26  1:23 ` Mark H Weaver
2021-03-26  1:36   ` Léo Le Bouter via Bug reports for GNU Guix

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).