From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: bug#33751: SQLite "Magellan" vulnerability Date: Sat, 15 Dec 2018 02:51:29 +0100 Message-ID: <87o99nv9pa.fsf@fastmail.com> References: <87r2ejve09.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54183) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXz7j-0007nR-6f for bug-guix@gnu.org; Fri, 14 Dec 2018 20:52:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXz7b-0007R6-3F for bug-guix@gnu.org; Fri, 14 Dec 2018 20:52:09 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:44486) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gXz7a-0007Qn-TN for bug-guix@gnu.org; Fri, 14 Dec 2018 20:52:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gXz7a-0002Qt-0H for bug-guix@gnu.org; Fri, 14 Dec 2018 20:52:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87r2ejve09.fsf@fastmail.com> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 33751@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Hello! > > There is allegedly a remote code execution bug in all versions of SQLite > prior to 3.26.0: . > > I think it is safe to graft 3.26.0 in-place: > > $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/l= ibsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/= libsqlite3.so > Functions changes summary: 0 Removed, 0 Changed, 0 Added function=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20 > Variables changes summary: 0 Removed, 0 Changed, 0 Added variable=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20 > Function symbols changes summary: 0 Removed, 1 Added function symbol no= t referenced by debug info=20 > Variable symbols changes summary: 0 Removed, 0 Added variable symbol no= t referenced by debug info=20 > > 1 Added function symbol not referenced by debug info:=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20 > > sqlite3_create_window_function > > ...but I have not tested this. It's difficult to tell which patches to > apply without knowing more details of the vulnerability. > > I am currently building a branch that adds a "static" output for > SQLite in order to catch users of libsqlite3.a. Can we start this on > Berlin concurrently? Patches attached. Perhaps it's better to start over 'staging' with the new SQLite in the mean time? Hydra didn't get too far yet. It does not add a lot to the current rebuild count. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwUXiIACgkQoqBt8qM6 VPqxoAf/TQpANxhNmV8Jzt6LqfODQ4TUt0WcI3GOFPQ9rTcSVMtyQZABzPKtc2d0 9E2S+4libYfWTeQk3cgiWb+OZiveVoFPQHG7LZxfhyY3yHxHU2LDha2AOluFWk7Q uibst4jPfBkQFLYh47EZuTvXCa6rv1oZ41RGH4NklyXTRJiHauLfS7s+OkGenxmQ CdETtTjqUbclzSzKpT8Q71MMn6584opMXUv8tf9uOfr2o2EPT8PbWBLviiDbdkRI 4rzDBVijaPh3T+9OBoraNycj7A4HdINOG0aQ2dVhYUREJGzSw2S7Uk+YJ+gw4UA/ q7mHzKv2DDjUnEExUVwFGWA8zLQhDg== =Pmy5 -----END PGP SIGNATURE----- --=-=-=--