#33751 SQLite "Magellan" vulnerability

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Marius Bakke <mbakke@fastmail.com>

To: bug-guix@gnu.org

Subject: SQLite "Magellan" vulnerability

Date: Sat, 15 Dec 2018 01:18:30 +0100

[Message part 1 (text/plain, inline)]

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
  Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 

  1 Added function symbol not referenced by debug info:                                             

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.

[0001-gnu-SQLite-Update-to-3.26.0.patch (text/x-patch, attachment)]

[0002-gnu-SQLite-Add-static-output.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 33751@debbugs.gnu.org (full text, mbox, reply):

From: Marius Bakke <mbakke@fastmail.com>

To: 33751@debbugs.gnu.org

Subject: Re: SQLite "Magellan" vulnerability

Date: Sat, 15 Dec 2018 02:51:29 +0100

[Message part 1 (text/plain, inline)]

Marius Bakke <mbakke@fastmail.com> writes:

> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>
>   1 Added function symbol not referenced by debug info:                                             
>
>     sqlite3_create_window_function
>
> ...but I have not tested this.  It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a.  Can we start this on
> Berlin concurrently?  Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time?  Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 33751@debbugs.gnu.org (full text, mbox, reply):

From: Ricardo Wurmus <rekado@elephly.net>

To: Marius Bakke <mbakke@fastmail.com>

Cc: 33751@debbugs.gnu.org

Subject: Re: bug#33751: SQLite "Magellan" vulnerability

Date: Sat, 15 Dec 2018 11:47:07 +0100

Marius Bakke <mbakke@fastmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Hello!
>>
>> There is allegedly a remote code execution bug in all versions of SQLite
>> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>>
>> I think it is safe to graft 3.26.0 in-place:
>>
>> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>>
>>   1 Added function symbol not referenced by debug info:                                             
>>
>>     sqlite3_create_window_function
>>
>> ...but I have not tested this.  It's difficult to tell which patches to
>> apply without knowing more details of the vulnerability.
>>
>> I am currently building a branch that adds a "static" output for
>> SQLite in order to catch users of libsqlite3.a.  Can we start this on
>> Berlin concurrently?  Patches attached.
>
> Perhaps it's better to start over 'staging' with the new SQLite in the
> mean time?  Hydra didn't get too far yet.
>
> It does not add a lot to the current rebuild count.

Sounds good to me.  Thank you!

-- 
Ricardo

Message #14 received at 33751@debbugs.gnu.org (full text, mbox, reply):

From: Mark H Weaver <mhw@netris.org>

To: Alex Vong <alexvong1995@gmail.com>

Cc: guix-devel@gnu.org, 33751@debbugs.gnu.org

Subject: Re: [SECURITY] Which packages bundle sqlite?

Date: Mon, 17 Dec 2018 14:04:16 -0500

Hi Alex,

This issue is being tracked at <https://bugs.gnu.org/33751>,
so it would be best to send followups regarding this issue to
<33751@debbugs.gnu.org>.

Alex Vong <alexvong1995@gmail.com> writes:

> I also want to know should we graft in this case since updating sqlite
> would cause ~4000s rebuilts.

Yes, it should be grafted.

> Besides, how to deal with packages that
> inherit sqlite when grafting?
> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)

These should be changed to use the 'package/inherit' macro.

Thanks for working on it!

      Mark

Message #19 received at 33751@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>

To: Mark H Weaver <mhw@netris.org>

Cc: 33751@debbugs.gnu.org, alexvong1995@gmail.com

Subject: Re: [SECURITY] Which packages bundle sqlite?

Date: Tue, 18 Dec 2018 11:07:24 +0800

[Message part 1 (text/plain, inline)]

Hi Mark,

Mark H Weaver <mhw@netris.org> writes:

> Hi Alex,
>
> This issue is being tracked at <https://bugs.gnu.org/33751>,
> so it would be best to send followups regarding this issue to
> <33751@debbugs.gnu.org>.
>
Thanks for pointing me to the right place. I checked guix-patches but
not guix...

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> I also want to know should we graft in this case since updating sqlite
>> would cause ~4000s rebuilts.
>
> Yes, it should be grafted.
>
>> Besides, how to deal with packages that
>> inherit sqlite when grafting?
>> (e.g. sqlite-with-fts5 and sqlite-with-column-metadata)
>
> These should be changed to use the 'package/inherit' macro.
>
I sent the patch to
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783>.

> Thanks for working on it!
>
>       Mark

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 33751-done@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>

To: 33751-done@debbugs.gnu.org

Cc: alexvong1995@gmail.com

Subject: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)

Date: Wed, 26 Dec 2018 02:11:28 +0800

[Message part 1 (text/plain, inline)]

Closing as patch was appied

[Message part 2 (message/rfc822, inline)]

From: help-debbugs@gnu.org (GNU bug Tracking System)

To: Alex Vong <alexvong1995@gmail.com>

Subject: bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)

Date: Mon, 24 Dec 2018 09:36:02 +0000

[Message part 3 (text/plain, inline)]

Your bug report

#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 33783@debbugs.gnu.org.

-- 
33783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

[Message part 4 (message/rfc822, inline)]

From: Efraim Flashner <efraim@flashner.co.il>

To: 33783-done@debbugs.gnu.org

Subject: Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Date: Mon, 24 Dec 2018 11:35:36 +0200

[Message part 5 (text/plain, inline)]

Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

[Message part 7 (message/rfc822, inline)]

From: Alex Vong <alexvong1995@gmail.com>

To: guix-patches@gnu.org

Cc: alexvong1995@gmail.com

Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Date: Tue, 18 Dec 2018 10:53:19 +0800

[Message part 8 (text/plain, inline)]

Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See <https://bugs.gnu.org/33751> for details.

[0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patch (text/x-diff, inline)]

From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Fixes <https://bugs.gnu.org/33751>.
Reported by Marius Bakke <mbakke@fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
 gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
+   (replacement sqlite-3.26.0)
    (version "3.24.0")
    (source (origin
             (method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite-3.26.0
+  (package/inherit sqlite
+    (version "3.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
 ;; This is used by Tracker.
 (define-public sqlite-with-fts5
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-fts5")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
 
 ;; This is used by Qt.
 (define-public sqlite-with-column-metadata
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-column-metadata")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
-- 
2.19.2

[Message part 10 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.