Re: Request for help/comments: sqlite3

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Request for help/comments: sqlite3
From: Jonas Meurer <jonas@freesources.org>
Date: Wed, 3 Jul 2019 14:48:51 +0200
Message-id: <[🔎] 0c55e5ce-e205-8c32-18ef-81c7272067eb@freesources.org>
In-reply-to: <CABY6=0nZk++5wF5UWaTsz6OcV6UaJrR88C4WhVY44PGkMo-2jg@mail.gmail.com>
References: <81518395-fd80-b725-f8b0-44237ad25d1e@freesources.org> <CABY6=0nZk++5wF5UWaTsz6OcV6UaJrR88C4WhVY44PGkMo-2jg@mail.gmail.com>

Hi Ola,

thanks for your response!

Ola Lundqvist:
> I have now looked into this problem to see if I can out something.
> 
> What I have done is to backtrack whether the code is ever executed by
> sqlite and I cannot find that it can be.
> 
> rtreenode function is registered using sqlite3_create_function
> in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init
> function to be called from anywhere.
> 
> Based on this I think we can rather safely say that the function is not
> used in Debian and hence the package is not affected.

Ok, great. So given that others didn't comment (yet) and we both agree
on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now.

Let's wait for Security Team's opinion. My recommendation for them would
be to do the same, given that backporting the fix for CVE-2019-8457 to
the sqlite3 version in Stretch will be as complex as it is for Jessie.

> I think we usually
> mark it as ignored with a description. An alternative is to mark it as
> not-affected but I'm not sure whether that should be done in this case
> since the vulnerability is there, just not triggered. Someone else can
> maybe help out with that decision.

Marking it as 'non-affected' would be wrong as the package *is*
affected. It's just that we consider it a minor vulnerability that we
ignore for Jessie given that backporting a proper fix would mean very
invasive code changes.

@Security Team: do you have a suggestion how to mark cases like this one
in data/CVE/list? The best probably would be to have a 'no-dla' flag, right?

> In addition to that I think we can rather safely mark it as ignored (at
> least postponed) since should be seen as a minor issue. Such debug
> functions should not be used in live applications and hence the problem is
> not that big. SQL permissions in sqlite is not really something you give
> access to any user, at least that is my interpretation of its general use.
> 
> I hope this helps a little.

It helped a lot, thanks.

This leaves CVE-2019-5827 for sqlite3. As written in data/dla-needed,
the fix presumably is to migrate to 64-bit memory allocators for
integers in order to prevent possible integer overflows. There's been *a
lot* of those migrations between Jessie and latest unstable version. If
we want to properly fix CVE-2019-5827, we probably have to backport a
large portion of them.

Cheers
 jonas

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Request for help/comments: sqlite3
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Request for help/comments: sqlite3
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: DLA 1842-1: use of wrong CVE?
Next by Date: Reference nodejs in debian-security-support?
Previous by thread: Re: DLA 1842-1: use of wrong CVE?
Next by thread: Re: Request for help/comments: sqlite3
Index(es):
- Date
- Thread