GNU bug report logs

#33783 [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Alex Vong <alexvong1995@gmail.com>
Date 2018-12-18T02:55:02
Severity normal
Tags patch security
Done Efraim Flashner <efraim@flashner.co.il>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#33783; Package guix-patches. (Tue, 18 Dec 2018 02:55:02 GMT) (full text, mbox, link).

Acknowledgement sent to Alex Vong <alexvong1995@gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Tue, 18 Dec 2018 02:55:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See <https://bugs.gnu.org/33751> for details.

[0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patch (text/x-diff, inline)]

From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Fixes <https://bugs.gnu.org/33751>.
Reported by Marius Bakke <mbakke@fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
 gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
+   (replacement sqlite-3.26.0)
    (version "3.24.0")
    (source (origin
             (method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite-3.26.0
+  (package/inherit sqlite
+    (version "3.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
 ;; This is used by Tracker.
 (define-public sqlite-with-fts5
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-fts5")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
 
 ;; This is used by Qt.
 (define-public sqlite-with-column-metadata
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-column-metadata")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
-- 
2.19.2

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Alex Vong <alexvong1995@gmail.com> to control@debbugs.gnu.org. (Tue, 18 Dec 2018 03:00:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#33783; Package guix-patches. (Tue, 18 Dec 2018 22:25:02 GMT) (full text, mbox, link).

Message #10 received at 33783@debbugs.gnu.org (full text, mbox, reply):

I applied your proposed patch to my private branch and updated my x86_64
GuixSD system with GNOME 3, and my user profiles including IceCat.
Everything seems to work well, and I've verified that IceCat is using
the new sqlite.

Please push this to master.

     Thanks!
       Mark

Information forwarded to guix-patches@gnu.org:
bug#33783; Package guix-patches. (Wed, 19 Dec 2018 01:12:01 GMT) (full text, mbox, link).

Message #13 received at 33783@debbugs.gnu.org (full text, mbox, reply):

Actually, there's one small problem with the patch: you should not use
'package/inherit' to define the replacement itself.  That leads to a
circular definition and an infinite series of replacements.  I guess the
grafting machinery copes with this somehow, but I'd prefer to avoid it.

I will soon push a slightly modified version of this patch.

      Mark

Information forwarded to guix-patches@gnu.org:
bug#33783; Package guix-patches. (Wed, 19 Dec 2018 06:21:01 GMT) (full text, mbox, link).

Message #16 received at 33783@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Mark H Weaver <mhw@netris.org> writes:

> Actually, there's one small problem with the patch: you should not use
> 'package/inherit' to define the replacement itself.  That leads to a
> circular definition and an infinite series of replacements.  I guess
> the
> grafting machinery copes with this somehow, but I'd prefer to avoid
> it.
>
I thought 'package/inherit' is a generalization of the previous
construct, but as you pointed out, it is not.

> I will soon push a slightly modified version of this patch.
>
OK!

>       Mark

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Reply sent to Efraim Flashner <efraim@flashner.co.il>:
You have taken responsibility. (Mon, 24 Dec 2018 09:36:02 GMT) (full text, mbox, link).

Notification sent to Alex Vong <alexvong1995@gmail.com>:
bug acknowledged by developer. (Mon, 24 Dec 2018 09:36:02 GMT) (full text, mbox, link).

Message #21 received at 33783-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Mon, 21 Jan 2019 12:24:06 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:39:15 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.