all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#33751: SQLite "Magellan" vulnerability
@ 2018-12-15  0:18 Marius Bakke
  2018-12-15  1:51 ` Marius Bakke
  2018-12-25 18:11 ` bug#33751: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) Alex Vong
  0 siblings, 2 replies; 4+ messages in thread
From: Marius Bakke @ 2018-12-15  0:18 UTC (permalink / raw)
  To: 33751


[-- Attachment #1.1: Type: text/plain, Size: 1232 bytes --]

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
  Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 

  1 Added function symbol not referenced by debug info:                                             

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-SQLite-Update-to-3.26.0.patch --]
[-- Type: text/x-patch, Size: 1174 bytes --]

From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
---
 gnu/packages/databases.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.24.0")
+   (version "3.26.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+              "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
-- 
2.20.0


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: 0002-gnu-SQLite-Add-static-output.patch --]
[-- Type: text/x-patch, Size: 2069 bytes --]

From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.
[outputs]: New field.
---
 gnu/packages/databases.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
       ;; to use the system SQLite unless these options are enabled.
       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
-                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (rename-file (string-append out "/lib/libsqlite3.a")
+                                    (string-append static "/lib/libsqlite3.a"))
+                       ;; Remove reference to the static library from the .la file
+                       ;; so Libtool does the right thing when both the shared and
+                       ;; static library is available.
+                       (substitute* (string-append out "/lib/libsqlite3.la")
+                         (("^old_library='libsqlite3.a'") "old_library=''"))
+                       #t))))))
+   (outputs '("out" "static"))
    (home-page "https://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
-- 
2.20.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-12-25 18:12 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-15  0:18 bug#33751: SQLite "Magellan" vulnerability Marius Bakke
2018-12-15  1:51 ` Marius Bakke
2018-12-15 10:47   ` Ricardo Wurmus
2018-12-25 18:11 ` bug#33751: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) Alex Vong

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.