Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze

To: Santiago Ruano Rincón <santiagorr@riseup.net>, security@debian.org, Laszlo Boszormenyi <gcs@debian.org>, debian-lts@lists.debian.org
Subject: Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze
From: Alessandro Ghedini <ghedo@debian.org>
Date: Sun, 14 Jun 2015 13:12:52 +0200
Message-id: <[🔎] 20150614111252.GA21026@kronk.local>
In-reply-to: <[🔎] 20150612112551.GA6190@kronk.local>
References: <[🔎] 20150608045455.GA18786@nomada> <[🔎] 20150610181542.GA17737@kronk.local> <[🔎] 20150612112551.GA6190@kronk.local>

On Fri, Jun 12, 2015 at 01:25:51PM +0200, Alessandro Ghedini wrote:
> On Wed, Jun 10, 2015 at 08:15:42PM +0200, Alessandro Ghedini wrote:
> > On Mon, Jun 08, 2015 at 06:54:55AM +0200, Santiago Ruano Rincón wrote:
> > > Hi,
> > > 
> > > sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415
> > > and CVE-2015-3416. I've took a look on how they impact wheezy and
> > > squeeze, and as far as I can see, backporting CVE-2015-3414 and
> > > CVE-2015-3415 is not so trivial and I'm not sure if they affect the old
> > > stable releases.
> > 
> > I couldn't reproduce CVE-2015-3414 in wheezy and squeeze so I marked it as n/a
> > in the security-tracker. As for CVE-2015-3415, I'm not sure how one is supposed
> > to reproduce it in the first place, so I can't really tell right now.
> > 
> > > However, CVE-2015-3416 affects wheezy and I've backported the attached
> > > patch. For the moment, I've been unable to reproduce the segfault in
> > > squeeze, the code prevents overflowing when it converts floating-points,
> > > but the fix can be backported to add an extra protection. Although, I'd
> > > like to hear a second opinion.
> > > What do you think?
> > 
> > I don't think squeeze is affected by CVE-2015-3416 at all (even valgrind shows
> > nothing), but I'll leave that to the LTS team to decide.
> > 
> > In general CVE-2015-3416 doesn't seem all that critical, but since it's been
> > fixed in jessie I don't see why it shouldn't be fixed in wheezy as well. But
> > first I'd like to understand if wheezy is affected by CVE-2015-3415 or not.
> 
> I've looked at CVE-2015-3415 more closely, and wheezy doesn't seem to be
> affected. I stil couldn't find a way to reproduce it, mind you, but the gist of
> the upstream patch [0] is the addition of the lines:
> 
>   flags1 = (pIn1->flags & ~MEM_TypeMask) | (flags1 & MEM_TypeMask);
>   [...]
>   flags3 = (pIn3->flags & ~MEM_TypeMask) | (flags3 & MEM_TypeMask);
> 
> flags1 and flags3 are later used to reset the pIn1 and pIn3 flags:
> 
>   pIn1->flags = flags1;
>   [...]
>   pIn3->flags = flags3;
> 
> However in the wheezy version of sqlite3 the reset of the flags fields was done
> as follows:
> 
>   pIn1->flags = (pIn1->flags&~MEM_TypeMask) | (flags1&MEM_TypeMask);
>   pIn3->flags = (pIn3->flags&~MEM_TypeMask) | (flags3&MEM_TypeMask);
> 
> So I don't think that the CVE-2015-3415 patch would add anything even if
> someone finds a way to backport it.
> 
> Regarding CVE-2015-3416, Santiago would you like to prepare a wheezy-security
> upload with your patch?

Nevermind that. I prepared the upload with your patch myself and will release
soonish.

Cheers

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze
  - From: Alessandro Ghedini <ghedo@debian.org>
- Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze
  - From: Alessandro Ghedini <ghedo@debian.org>

Prev by Date: squeeze update of openssl?
Next by Date: Re: squeeze update of openssl?
Previous by thread: Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze
Next by thread: Introducing the LTS frontdesk
Index(es):
- Date
- Thread