On Fri, Jun 12, 2015 at 01:25:51PM +0200, Alessandro Ghedini wrote: > On Wed, Jun 10, 2015 at 08:15:42PM +0200, Alessandro Ghedini wrote: > > On Mon, Jun 08, 2015 at 06:54:55AM +0200, Santiago Ruano Rincón wrote: > > > Hi, > > > > > > sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415 > > > and CVE-2015-3416. I've took a look on how they impact wheezy and > > > squeeze, and as far as I can see, backporting CVE-2015-3414 and > > > CVE-2015-3415 is not so trivial and I'm not sure if they affect the old > > > stable releases. > > > > I couldn't reproduce CVE-2015-3414 in wheezy and squeeze so I marked it as n/a > > in the security-tracker. As for CVE-2015-3415, I'm not sure how one is supposed > > to reproduce it in the first place, so I can't really tell right now. > > > > > However, CVE-2015-3416 affects wheezy and I've backported the attached > > > patch. For the moment, I've been unable to reproduce the segfault in > > > squeeze, the code prevents overflowing when it converts floating-points, > > > but the fix can be backported to add an extra protection. Although, I'd > > > like to hear a second opinion. > > > What do you think? > > > > I don't think squeeze is affected by CVE-2015-3416 at all (even valgrind shows > > nothing), but I'll leave that to the LTS team to decide. > > > > In general CVE-2015-3416 doesn't seem all that critical, but since it's been > > fixed in jessie I don't see why it shouldn't be fixed in wheezy as well. But > > first I'd like to understand if wheezy is affected by CVE-2015-3415 or not. > > I've looked at CVE-2015-3415 more closely, and wheezy doesn't seem to be > affected. I stil couldn't find a way to reproduce it, mind you, but the gist of > the upstream patch [0] is the addition of the lines: > > flags1 = (pIn1->flags & ~MEM_TypeMask) | (flags1 & MEM_TypeMask); > [...] > flags3 = (pIn3->flags & ~MEM_TypeMask) | (flags3 & MEM_TypeMask); > > flags1 and flags3 are later used to reset the pIn1 and pIn3 flags: > > pIn1->flags = flags1; > [...] > pIn3->flags = flags3; > > However in the wheezy version of sqlite3 the reset of the flags fields was done > as follows: > > pIn1->flags = (pIn1->flags&~MEM_TypeMask) | (flags1&MEM_TypeMask); > pIn3->flags = (pIn3->flags&~MEM_TypeMask) | (flags3&MEM_TypeMask); > > So I don't think that the CVE-2015-3415 patch would add anything even if > someone finds a way to backport it. > > Regarding CVE-2015-3416, Santiago would you like to prepare a wheezy-security > upload with your patch? Nevermind that. I prepared the upload with your patch myself and will release soonish. Cheers
Attachment:
signature.asc
Description: Digital signature