Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
From: "Laszlo Boszormenyi (GCS)" <gcs@debian.org>
Date: Thu, 25 Aug 2016 20:45:28 +0200
Message-id: <[🔎] 1472150728.28152.1.camel@debian.org>
Reply-to: "Laszlo Boszormenyi (GCS)" <gcs@debian.org>, 835443@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Release Team,

There's a vulnerability in SQLite3 [1] which was fixed in Sid and
Stretch, but not yet in Jessie. Security Team decided it's a minor
issue and doesn't warrant a DSA.

An other issue, a segfault is fixed as well on heavy 'SAVEPOINT'
usage[2][3], which affects Django.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2016-6153
[2] http://bugs.debian.org/835205
[3] https://www.sqlite.org/src/info/c4b9c611

diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog	2016-08-25 16:10:24.000000000 +0000
@@ -1,3 +1,11 @@
+sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
+
+  * Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
+  * Backport fix for segfault following heavy SAVEPOINT usage
+    (closes: #835205).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 25 Aug 2016 16:10:24 +0000
+
 sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
 
   * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
diff -Nru sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch
--- sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,31 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5423,10 +5423,10 @@ static const char *unixTempFileDir(void)
+     if( zDir==0 ) continue;
+     if( osStat(zDir, &buf) ) continue;
+     if( !S_ISDIR(buf.st_mode) ) continue;
+-    if( osAccess(zDir, 07) ) continue;
+-    break;
++    if( osAccess(zDir, 03) ) continue;
++    return zDir;
+   }
+-  return zDir;
++  return 0;
+ }
+ 
+ /*
+@@ -5446,10 +5446,11 @@ static int unixGetTempname(int nBuf, cha
+   ** using the io-error infrastructure to test that SQLite handles this
+   ** function failing. 
+   */
++  zBuf[0] = 0;
+   SimulateIOError( return SQLITE_IOERR );
+ 
+   zDir = unixTempFileDir();
+-  if( zDir==0 ) zDir = ".";
++  if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH;
+ 
+   /* Check that the output buffer is large enough for the temporary file 
+   ** name. If it is not, return SQLITE_ERROR.
diff -Nru sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch
--- sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,13 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5419,7 +5419,7 @@ static const char *unixTempFileDir(void)
+   azDirs[0] = sqlite3_temp_directory;
+   if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+-  for(i=0; i<sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
++  for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+     if( zDir==0 ) continue;
+     if( osStat(zDir, &buf) ) continue;
+     if( !S_ISDIR(buf.st_mode) ) continue;
diff -Nru sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch
--- sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/47-CVE-2016-6153_part3.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,35 @@
+Index: sqlite3/src/os_unix.c
+==================================================================
+--- sqlite3/src/os_unix.c
++++ sqlite3/src/os_unix.c
+@@ -5412,19 +5412,23 @@ static const char *unixTempFileDir(void)
+      "/tmp",
+      0        /* List terminator */
+   };
+-  unsigned int i;
++  unsigned int i = 0;
+   struct stat buf;
+   const char *zDir = 0;
+ 
+   azDirs[0] = sqlite3_temp_directory;
+   if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+-  for(i=0; i<=sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){
+-    if( zDir==0 ) continue;
+-    if( osStat(zDir, &buf) ) continue;
+-    if( !S_ISDIR(buf.st_mode) ) continue;
+-    if( osAccess(zDir, 03) ) continue;
+-    return zDir;
++  while(1){
++    if( zDir!=0
++     && osStat(zDir, &buf)==0
++     && S_ISDIR(buf.st_mode)
++     && osAccess(zDir, 03)==0
++    ){
++      return zDir;
++    }
++    if( i>=sizeof(azDirs)/sizeof(azDirs[0]) ) break;
++    zDir = azDirs[i++];
+   }
+   return 0;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch
--- sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	2016-08-25 16:10:24.000000000 +0000
@@ -0,0 +1,29 @@
+Index: sqlite3/src/memjournal.c
+==================================================================
+--- sqlite3/src/memjournal.c
++++ sqlite3/src/memjournal.c
+@@ -77,6 +77,7 @@ static int memjrnlRead(
+ 
+   /* SQLite never tries to read past the end of a rollback journal file */
+   assert( iOfst+iAmt<=p->endpoint.iOffset );
++  assert( p->readpoint.iOffset==0 || p->readpoint.pChunk!=0 );
+ 
+   if( p->readpoint.iOffset!=iOfst || iOfst==0 ){
+     sqlite3_int64 iOff = 0;
+@@ -88,6 +89,7 @@ static int memjrnlRead(
+     }
+   }else{
+     pChunk = p->readpoint.pChunk;
++    assert( pChunk!=0 );
+   }
+ 
+   iChunkOffset = (int)(iOfst%JOURNAL_CHUNKSIZE);
+@@ -99,7 +101,7 @@ static int memjrnlRead(
+     nRead -= iSpace;
+     iChunkOffset = 0;
+   } while( nRead>=0 && (pChunk=pChunk->pNext)!=0 && nRead>0 );
+-  p->readpoint.iOffset = iOfst+iAmt;
++  p->readpoint.iOffset = pChunk ? iOfst+iAmt : 0;
+   p->readpoint.pChunk = pChunk;
+ 
+   return SQLITE_OK;
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2015-05-02 07:59:48.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series	2016-08-25 16:10:24.000000000 +0000
@@ -9,3 +9,7 @@
 40-CVE-2015-3414.patch
 41-CVE-2015-3415.patch
 42-CVE-2015-3416.patch
+45-CVE-2016-6153_part1.patch
+46-CVE-2016-6153_part2.patch
+47-CVE-2016-6153_part3.patch
+50-fix_in-memory_journal.patch

Reply to:

Follow-Ups:
- Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#835170: transition: protobuf
Next by Date: Bug#835444: jessie-pu: package ovirt-guest-agent/1.0.10.2.dfsg-2+deb8u1
Previous by thread: Processed: ostinato: FTBFS with protobuf 3.0.0 (error: 'NewCallback' is not a member of 'google::protobuf')
Next by thread: Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2
Index(es):
- Date
- Thread