From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#33751: SQLite "Magellan" vulnerability
Date: Sat, 15 Dec 2018 01:18:30 +0100
Message-ID: <87r2ejve09.fsf@fastmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33068)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gXxfe-0005IH-LM
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:19:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gXxfa-0000lb-Hc
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:19:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:44441)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gXxfa-0000lW-Ct
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:19:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gXxfa-0006Zk-7l
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:19:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.33751.B.154483313725263@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32986)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1gXxfE-0005G0-KK
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1gXxfA-0000em-3K
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:40 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:59991)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1gXxf9-0000eE-Mf
	for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:36 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id 4C6EA21ADE
	for <bug-guix@gnu.org>; Fri, 14 Dec 2018 19:18:33 -0500 (EST)
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
	by mail.messagingengine.com (Postfix) with ESMTPA id 8CF14E43A6
	for <bug-guix@gnu.org>; Fri, 14 Dec 2018 19:18:32 -0500 (EST)
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 33751@debbugs.gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/lib=
sqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/li=
bsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20
  Function symbols changes summary: 0 Removed, 1 Added function symbol not =
referenced by debug info=20
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not =
referenced by debug info=20

  1 Added function symbol not referenced by debug info:=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-gnu-SQLite-Update-to-3.26.0.patch
Content-Transfer-Encoding: quoted-printable

From=205556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
=2D--
 gnu/packages/databases.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
=2D-- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
=2D   (version "3.24.0")
+   (version "3.26.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
=2D              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+              "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
=2D-=20
2.20.0


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0002-gnu-SQLite-Add-static-output.patch
Content-Transfer-Encoding: quoted-printable

From=20ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-li=
brary'.
[outputs]: New field.
=2D--
 gnu/packages/databases.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
=2D-- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
       ;; to use the system SQLite unless these options are enabled.
       (list (string-append "CFLAGS=3D-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
=2D                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (rename-file (string-append out "/lib/libsqlite3.a")
+                                    (string-append static "/lib/libsqlite3=
.a"))
+                       ;; Remove reference to the static library from the =
.la file
+                       ;; so Libtool does the right thing when both the sh=
ared and
+                       ;; static library is available.
+                       (substitute* (string-append out "/lib/libsqlite3.la=
")
+                         (("^old_library=3D'libsqlite3.a'") "old_library=
=3D''"))
+                       #t))))))
+   (outputs '("out" "static"))
    (home-page "https://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
=2D-=20
2.20.0


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUSFYACgkQoqBt8qM6
VPo+Pwf/ThaiyhJbpIPadBW8yM3JQm1e1JiLlcZkjrly1oDPX4hn6Je1AGnlu41Q
Tvjrwmv2QrN6T6HgP1n1e6AOvJs9FoskelfB1xfXkeaIdPj28toQPU4zwr/KbS8j
NxT4P0FJX+a5demGhu9rPvhO1Lz48oA186LQEXieWCFTgiXk5JS3CssqUUbUaJi1
BEiLfTYozP/ugJCMIud+lx6AkyfXgH/mqLi3Y0yfoctPgcqg7lYeHesdneqfgCsd
qjj3hwYGdbz/q2uhZTcfqdJ+P0StIuGIZTtrCvl8D2+ESD1ph8mBRxsOaTyNnj+0
OwDRlJjkHrAIqY9Vg/KdU04VRIF50g==
=kx1u
-----END PGP SIGNATURE-----
--==-=-=--