[PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Vong
  • Efraim Flashner
  • Mark H Weaver
Owner
unassigned
Submitted by
Alex Vong
Severity
normal

Debbugs page

A
A
Alex Vong wrote on 17 Dec 2018 18:53
(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)
87mup31r6o.fsf@gmail.com
Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See https://bugs.gnu.org/33751 for details.
From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Reported by Marius Bakke <mbakke@fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben@gmail.com>
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
(define-public sqlite
(package
(name "sqlite")
+ (replacement sqlite-3.26.0)
(version "3.24.0")
(source (origin
(method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world. The source code for SQLite
is in the public domain.")
(license license:public-domain)))
+(define-public sqlite-3.26.0
+ (package/inherit sqlite
+ (version "3.26.0")
+ (source (origin
+ (method url-fetch)
+ (uri (let ((numeric-version
+ (match (string-split version #\.)
+ ((first-digit other-digits ...)
+ (string-append first-digit
+ (string-pad-right
+ (string-concatenate
+ (map (cut string-pad <> 2 #\0)
+ other-digits))
+ 6 #\0))))))
+ (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+ numeric-version ".tar.gz")))
+ (sha256
+ (base32
+ "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
;; This is used by Tracker.
(define-public sqlite-with-fts5
- (package (inherit sqlite)
+ (package/inherit sqlite
(name "sqlite-with-fts5")
(arguments
(substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
;; This is used by Qt.
(define-public sqlite-with-column-metadata
- (package (inherit sqlite)
+ (package/inherit sqlite
(name "sqlite-with-column-metadata")
(arguments
(substitute-keyword-arguments (package-arguments sqlite)
--
2.19.2
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhhHwAKCRBh71Au9gJS
8uQDAP9K/j4Fho5Y0tGj2rPYQLgh2/X4rJ+Ad+xIKAtSja48xAEAyWKJMtJibdKy
D55YjKFBOZJ59CTp0rJcPU+WYFdBgQk=
=sDdb
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 17 Dec 2018 18:58
Add security tag.
(address . control@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87ftuv1qx8.fsf@gmail.com
package guix-patches
tags 33783 security
thanks
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBhicwAKCRBh71Au9gJS
8pYkAQDi037fpksJMP8UU3tS3M85G28vIqbBAnNZZiSsdKESNAD/YIdVd+PJ2P90
6sKSB3DbHMJJsKvbMm3dc5wYz7uwuws=
=BiB6
-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 18 Dec 2018 14:22
Bug#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33783@debbugs.gnu.org)
87a7l2a2zm.fsf@netris.org
I applied your proposed patch to my private branch and updated my x86_64
GuixSD system with GNOME 3, and my user profiles including IceCat.
Everything seems to work well, and I've verified that IceCat is using
the new sqlite.

Please push this to master.

Thanks!
Mark
M
M
Mark H Weaver wrote on 18 Dec 2018 17:10
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33783@debbugs.gnu.org)
875zvq9v8d.fsf@netris.org
Actually, there's one small problem with the patch: you should not use
'package/inherit' to define the replacement itself. That leads to a
circular definition and an infinite series of replacements. I guess the
grafting machinery copes with this somehow, but I'd prefer to avoid it.

I will soon push a slightly modified version of this patch.

Mark
A
A
Alex Vong wrote on 18 Dec 2018 22:20
(name . Mark H Weaver)(address . mhw@netris.org)
87sgyu9gwh.fsf@gmail.com
Mark H Weaver <mhw@netris.org> writes:

Toggle quote (7 lines)
> Actually, there's one small problem with the patch: you should not use
> 'package/inherit' to define the replacement itself. That leads to a
> circular definition and an infinite series of replacements. I guess
> the
> grafting machinery copes with this somehow, but I'd prefer to avoid
> it.
>
I thought 'package/inherit' is a generalization of the previous
construct, but as you pointed out, it is not.

Toggle quote (2 lines)
> I will soon push a slightly modified version of this patch.
>
OK!

Toggle quote (2 lines)
> Mark

Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXBnjLgAKCRBh71Au9gJS
8hvFAQDDybhTCKKljN+bVsWDIeIMJggWQpFJ8f5zCCV+XIWmxwEA/tMZGhZwhY+R
Eycfqf23QH4Ihemp9CS7Tozx0Zrcnws=
=6WeI
-----END PGP SIGNATURE-----

E
E
Efraim Flashner wrote on 24 Dec 2018 01:35
Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].
(address . 33783-done@debbugs.gnu.org)
20181224093536.GI2581@macbook41
Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlwgqGcACgkQQarn3Mo9
g1EHCQ//cvhKFqruDAP8Y72Gt8cvWC9MeySvEo6eCecl6otoRXPeqgnSu71QJxdd
s0QIO4dZtvqBSJiP9Y4x5wBBKBUWE4zcAXJpF1S7xRE/YVa2B1FGaQvo/bGiw2PN
cPK68SDckMD9v0bKKbn4kHFPckb2R9BXtI7b/rH1kD2CKz2PNmxmeXhhXXqVjuM/
REQGzcKSvhY13O/Cnh5UlJe1WeEzrBgKC3fUeDLdTXEoWe0pDFBUbJtRxrBt9zzv
G+7bAI1U/umDTJnZmHYPZKJRLNzKpwpl60sRMI4/YmRx6RmPyB81YzN/1pA9plzz
Be4IhV4Rxrq7weNhV8J7DM0MbRifsBHLZ2CyEtNRojyzzMz7qiHJjiKUPsut6Yyb
HimMJ40Em5BoSr2z4LNf9fw6oOrSZxUgyRpwtfS9zaWkebfCSgIrm9jY03UWNii+
IuUs4lD6z1aEk4iyvXrqzNZ73oA2YEwOkWAcmCdIwNb1TOjS6IhxyMp9vgRQhItm
K0S21B9yvX3+GlyL+UY7eTtKoQ/jhT8etWSebJOcL8zvXAxmi+y7GiGO9y/+8oP/
fBjtA92CTN97EFhQIya8rlq2OKnltCiKbrokOHfH5+XXfPjdNsb5xH60/GRA2QkB
JJjDnuuIGBcq53bbJ34zatGGNUxT7KxfLwilXJJ3ywG0gfXIJwc=
=ElCV
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33783@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33783
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch