GNU bug report logs

#33751 SQLite "Magellan" vulnerability

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 15 Dec 2018 00:18:57 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 14 19:18:57 2018
Received: from localhost ([127.0.0.1]:48699 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gXxfQ-0006ZK-IH
	for submit@debbugs.gnu.org; Fri, 14 Dec 2018 19:18:57 -0500
Received: from eggs.gnu.org ([208.118.235.92]:51618)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1gXxfO-0006Z4-IC
 for submit@debbugs.gnu.org; Fri, 14 Dec 2018 19:18:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1gXxfG-0000g6-QQ
 for submit@debbugs.gnu.org; Fri, 14 Dec 2018 19:18:45 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:38751)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1gXxfG-0000fx-9I
 for submit@debbugs.gnu.org; Fri, 14 Dec 2018 19:18:42 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32986)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1gXxfE-0005G0-KK
 for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1gXxfA-0000em-3K
 for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:40 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:59991)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1gXxf9-0000eE-Mf
 for bug-guix@gnu.org; Fri, 14 Dec 2018 19:18:36 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 4C6EA21ADE
 for <bug-guix@gnu.org>; Fri, 14 Dec 2018 19:18:33 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Fri, 14 Dec 2018 19:18:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:date:message-id:mime-version:content-type; s=
 fm1; bh=NsW2LU6mBlZ8ATMa9OwK4UZBIqBp0fp7fpcOO+znxGk=; b=T24HELlY
 PG97xJjqeId95xwzPVETY63N2t19NdMcQTbmRNoF64R9xQ3GEaK9REqFMt9tgx2H
 ZM9GxY7jy4n6wwKvEQdrWLLHnVMXVJml7DlQFsMUSf0fdYhvWVZULMDfFY5aDcPQ
 1fvKYPh1DeZdVjbJHy85yKYJ4MqRdgsdUHCKuu6eZ+L0JY8NC1R1eLhEu7nTcBFL
 QNMntsC5Jv3P3CFgo0adL1vxGAodNuD/dlrOmhmeO7N/SC4D87Hy76yb/kUTosfV
 0IH/IHNqPm02nwAIDPrJ2StzDyEMpIIaVq9sOFx59EJcjUmNbdbAms6ry5M0mk5J
 bdGYF/roG3tB2Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm1; bh=NsW2LU6mBlZ8ATMa9OwK4UZBIqBp0
 fp7fpcOO+znxGk=; b=NuYZa5V+CKxpLA4GZPQoqg2fiYaHoD6870PWDbZ92btVu
 +yqaZR2Bri8s6A47RSjfrrYA4fdIh6XgTqAbIU5ewqeQ/jedlcwIssqmZ2HkWzro
 x/nIJlVfVFSoxqsrH/+F8/HjvYJkO6XavjzijfkKXYvHgvNJ7BBaivB2x63/1Ojv
 UbiUgE4MCn09+73/LTkABHEzGd/8GE5DvVlmaQPorMUJILHGawgplbyUT9jZTLkt
 5ku2Wgw8/4FRevVS1ydGmhR7ishGK2wFSKDxhE6L/hUQiRl1sBnKSSlSTfQzkMpg
 xkUrDNpCj/CiF3RvGnODpaZDkJKR+wgqYHaXG6z9g==
X-ME-Sender: <xms:WUgUXGAKN21z9ti6YZSTtytvm41UllxiWfcIv2GTKusnjhCjgdsNKA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtkedrudehiedgudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef
 tddtnecunecujfgurhephffvufgffffkgggtsehgtderredtredtnecuhfhrohhmpeforg
 hrihhushcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucff
 ohhmrghinhepthgvnhgtvghnthdrtghomhdplhhisghsqhhlihhtvgefrdhsohenucfkph
 epiedvrdduiedrvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghk
 khgvsehfrghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:WUgUXIv9CZNKSskaX5IH38pY3JbVNkwC5ZLgW_H5B4uyMIDAvDQPWg>
 <xmx:WUgUXA7oeNqxChJAsMhEAufjkEiN71fnZePEy-k5vSIEAk7jE6WzIQ>
 <xmx:WUgUXCeI0AbT90E6fTuF8yT8FOjhF19P4sMMGOrp8nXPoqvhuTvpSw>
 <xmx:WUgUXO1rcRMzzaIc02rXsFMnm0rjAnwtjRCIcGDn-4eIgWkExbFzzA>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 8CF14E43A6
 for <bug-guix@gnu.org>; Fri, 14 Dec 2018 19:18:32 -0500 (EST)
From: Marius Bakke <mbakke@fastmail.com>
To: bug-guix@gnu.org
Subject: SQLite "Magellan" vulnerability
User-Agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 15 Dec 2018 01:18:30 +0100
Message-ID: <87r2ejve09.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.3 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

[Message part 1 (text/plain, inline)]
Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.

I think it is safe to graft 3.26.0 in-place:

$ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
  Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 

  1 Added function symbol not referenced by debug info:                                             

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.


[0001-gnu-SQLite-Update-to-3.26.0.patch (text/x-patch, attachment)]
[0002-gnu-SQLite-Add-static-output.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:33:24 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.