bug#33751: SQLite "Magellan" vulnerability

bug#33751: SQLite "Magellan" vulnerability

[Marius Bakke]

[-- Attachment #1.1: Type: text/plain, Size: 1232 bytes --]

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
  Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 

  1 Added function symbol not referenced by debug info:                                             

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-SQLite-Update-to-3.26.0.patch --]
[-- Type: text/x-patch, Size: 1174 bytes --]

From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
---
 gnu/packages/databases.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.24.0")
+   (version "3.26.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+              "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
-- 
2.20.0


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: 0002-gnu-SQLite-Add-static-output.patch --]
[-- Type: text/x-patch, Size: 2069 bytes --]

From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.
[outputs]: New field.
---
 gnu/packages/databases.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
       ;; to use the system SQLite unless these options are enabled.
       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
-                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (rename-file (string-append out "/lib/libsqlite3.a")
+                                    (string-append static "/lib/libsqlite3.a"))
+                       ;; Remove reference to the static library from the .la file
+                       ;; so Libtool does the right thing when both the shared and
+                       ;; static library is available.
+                       (substitute* (string-append out "/lib/libsqlite3.la")
+                         (("^old_library='libsqlite3.a'") "old_library=''"))
+                       #t))))))
+   (outputs '("out" "static"))
    (home-page "https://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
-- 
2.20.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

bug#33751: SQLite "Magellan" vulnerability

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]

Marius Bakke <mbakke@fastmail.com> writes:

> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>
>   1 Added function symbol not referenced by debug info:                                             
>
>     sqlite3_create_window_function
>
> ...but I have not tested this.  It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a.  Can we start this on
> Berlin concurrently?  Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time?  Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

bug#33751: SQLite "Magellan" vulnerability

[Ricardo Wurmus]

Marius Bakke <mbakke@fastmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Hello!
>>
>> There is allegedly a remote code execution bug in all versions of SQLite
>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>>
>> I think it is safe to graft 3.26.0 in-place:
>>
>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>>
>>   1 Added function symbol not referenced by debug info:                                             
>>
>>     sqlite3_create_window_function
>>
>> ...but I have not tested this.  It's difficult to tell which patches to
>> apply without knowing more details of the vulnerability.
>>
>> I am currently building a branch that adds a "static" output for
>> SQLite in order to catch users of libsqlite3.a.  Can we start this on
>> Berlin concurrently?  Patches attached.
>
> Perhaps it's better to start over 'staging' with the new SQLite in the
> mean time?  Hydra didn't get too far yet.
>
> It does not add a lot to the current rebuild count.

Sounds good to me.  Thank you!

-- 
Ricardo

bug#33751: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 29 bytes --]

Closing as patch was appied


[-- Attachment #1.2: Type: message/rfc822, Size: 17012 bytes --]

[-- Attachment #1.2.1.1: Type: text/plain, Size: 432 bytes --]

Your bug report

#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 33783@debbugs.gnu.org.

-- 
33783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

[-- Attachment #1.2.1.2: Type: message/rfc822, Size: 3474 bytes --]

[-- Attachment #1.2.1.2.1.1: Type: text/plain, Size: 275 bytes --]

Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #1.2.1.2.1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #1.2.1.3: Type: message/rfc822, Size: 9284 bytes --]

[-- Attachment #1.2.1.3.1.1.1: Type: text/plain, Size: 227 bytes --]

Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See <https://bugs.gnu.org/33751> for details.


[-- Attachment #1.2.1.3.1.1.2: 0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patch --]
[-- Type: text/x-diff, Size: 3242 bytes --]

From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Fixes <https://bugs.gnu.org/33751>.
Reported by Marius Bakke <mbakke@fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
 gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
+   (replacement sqlite-3.26.0)
    (version "3.24.0")
    (source (origin
             (method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite-3.26.0
+  (package/inherit sqlite
+    (version "3.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
 ;; This is used by Tracker.
 (define-public sqlite-with-fts5
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-fts5")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
 
 ;; This is used by Qt.
 (define-public sqlite-with-column-metadata
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-column-metadata")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
-- 
2.19.2


[-- Attachment #1.2.1.3.1.1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #1.2.1.3.1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]