GNU bug report logs

#33751 SQLite "Magellan" vulnerability

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #8 received at 33751@debbugs.gnu.org (full text, mbox, reply):

Received: (at 33751) by debbugs.gnu.org; 15 Dec 2018 01:51:41 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 14 20:51:41 2018
Received: from localhost ([127.0.0.1]:48744 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gXz7E-0002QG-NH
	for submit@debbugs.gnu.org; Fri, 14 Dec 2018 20:51:40 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:35849)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1gXz7B-0002Pz-Tn
 for 33751@debbugs.gnu.org; Fri, 14 Dec 2018 20:51:39 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 89C9B21C60
 for <33751@debbugs.gnu.org>; Fri, 14 Dec 2018 20:51:32 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Fri, 14 Dec 2018 20:51:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm1; bh=ETxO8GKuTdiTyhbbaZvRdU/Ofs
 YqL4U1tVjtqzitm2g=; b=patEOoY0e1Ap0rpGAT0iR+N8CxjQTMsCtq2soxqGAC
 wIC0/SPeGYEn/XlLZNGUw32/2skEnnI/iyagqYmIuuy7KJP3RwAPv7dBGAwqp0Sy
 CzUlpc3p7mjItk6QW9/vux7SgCyR1dklnZIZQnQhuFLZEmvURmN92YZcFXJJVPhG
 BLhSNmx/c0A7GKVboi62Sc/qR+agvoOtg4sXrtW6HrgLiqAC9qgBe9IYAf/xkBaX
 Js3hDrCOuqh5swf8MHn7U5ikUTkOY20AtIzzp+z++3cOIIXC+UFDRNuKg4y7Poig
 sua2pQl7HAbZFUsc04H6MIxYBecxQsnKPLt19ZrLBGdg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ETxO8G
 KuTdiTyhbbaZvRdU/OfsYqL4U1tVjtqzitm2g=; b=oYIQOaFD/hQ1GVuKFCEUe4
 g1G77sZIVPvnWg6PZdrIAuo/2fRRURvnMS7BXyN+6xyBUX72tXfMDTHJf4f6r785
 M9Cl1kQS8Sn2pexTE68TVkqZkzYYFeWH/CGsC88LKtIW9+8snqkqub0xAXDu+tq6
 u77PQIoLVJIZkGUzIzZNRi9jd9LWqc8nkeqr18YBMia7i7Dmt57UbdVUqbkUOCaN
 tM10+taenRhJLnWZhLAYbSf+w5rlTRA9XbMbQPcI2oGzRSqRZSreasvKrDRuXanA
 Pdf8CIe2LfQ0TILTU06Y3q6Hp8yA5ZKYp+Tn4+N/S2h+0qU7oGOVtn+aWLv7e+kA
 ==
X-ME-Sender: <xms:JF4UXE9zln_mR9Q6LzBzFNL2Swudi5oyZ0mDD5pLhQ8YHNm_GJMM7A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtkedrudehiedgfeelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef
 tddtnecunecujfgurhephffvufgjfhgffffkgggtsehgtderredtredtnecuhfhrohhmpe
 forghrihhushcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeen
 ucffohhmrghinhepthgvnhgtvghnthdrtghomhdplhhisghsqhhlihhtvgefrdhsohenuc
 fkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmhgs
 rghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:JF4UXHVC_M6LJONkmz4XUp7guSbXCn2wh7WOXRyPkQ3RNBoFZ1vPXg>
 <xmx:JF4UXAAgm5D-7_JclgbDpMaeXJ-djdJSWDs7r4cynbSedCxsu7q_uw>
 <xmx:JF4UXEGc0zm1KeMgACVZ11tKWthcH19De4RoDcIHkgiAXhXSMy97aQ>
 <xmx:JF4UXLTfUZp4gPfcgxzELFtRQ5oK15j5uYwQDX5w_MI-zJ738YIH4g>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id D91C5102EA
 for <33751@debbugs.gnu.org>; Fri, 14 Dec 2018 20:51:31 -0500 (EST)
From: Marius Bakke <mbakke@fastmail.com>
To: 33751@debbugs.gnu.org
Subject: Re: SQLite "Magellan" vulnerability
In-Reply-To: <87r2ejve09.fsf@fastmail.com>
References: <87r2ejve09.fsf@fastmail.com>
User-Agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 15 Dec 2018 02:51:29 +0100
Message-ID: <87o99nv9pa.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 33751
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke@fastmail.com> writes:

> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>
>   1 Added function symbol not referenced by debug info:                                             
>
>     sqlite3_create_window_function
>
> ...but I have not tested this.  It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a.  Can we start this on
> Berlin concurrently?  Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time?  Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:41:28 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.