unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
@ 2021-03-18 11:42 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-26  1:23 ` Mark H Weaver
  0 siblings, 2 replies; 7+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-18 11:42 UTC (permalink / raw)
  To: 47231


[-- Attachment #1.1: Type: text/plain, Size: 674 bytes --]

According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo

[-- Attachment #1.2: 0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch --]
[-- Type: text/x-patch, Size: 2166 bytes --]

From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Thu, 18 Mar 2021 07:09:10 +0100
Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes].

* gnu/packages/sqlite.scm (sqlite/fixed): New variable.
(sqlite)[replacement]: Graft.
---
 gnu/packages/sqlite.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm
index eeb77749d8..cc378b359a 100644
--- a/gnu/packages/sqlite.scm
+++ b/gnu/packages/sqlite.scm
@@ -65,6 +65,7 @@
             (sha256
              (base32
               "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32"))))
+   (replacement sqlite/fixed)
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (native-inputs (if (hurd-target?)
@@ -122,6 +123,26 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite/fixed
+  (package/inherit sqlite
+    (version "3.32.3")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2020/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"))))))
+
 ;; Column metadata support was added to the regular 'sqlite' package with
 ;; commit fad5b1a6d8d9c36bea5785ae4fbc1beb37e644d7.
 (define-public sqlite-with-column-metadata
-- 
2.31.0


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-03-26  1:37 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-18 11:42 bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 23:37 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-24 22:54   ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-25 11:27     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-25 15:56       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2021-03-26  1:23 ` Mark H Weaver
2021-03-26  1:36   ` Léo Le Bouter via Bug reports for GNU Guix

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).