Re: Request for help/comments: sqlite3

To: Jonas Meurer <jonas@freesources.org>
Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Request for help/comments: sqlite3
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 3 Jul 2019 15:26:29 +0200
Message-id: <[🔎] 20190703132629.GA12114@lorien.valinor.li>
Mail-followup-to: Jonas Meurer <jonas@freesources.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
In-reply-to: <[🔎] 0c55e5ce-e205-8c32-18ef-81c7272067eb@freesources.org>
References: <81518395-fd80-b725-f8b0-44237ad25d1e@freesources.org> <CABY6=0nZk++5wF5UWaTsz6OcV6UaJrR88C4WhVY44PGkMo-2jg@mail.gmail.com> <[🔎] 0c55e5ce-e205-8c32-18ef-81c7272067eb@freesources.org>

Hi Jonas,

On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote:
> Hi Ola,
> 
> thanks for your response!
> 
> Ola Lundqvist:
> > I have now looked into this problem to see if I can out something.
> > 
> > What I have done is to backtrack whether the code is ever executed by
> > sqlite and I cannot find that it can be.
> > 
> > rtreenode function is registered using sqlite3_create_function
> > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init
> > function to be called from anywhere.
> > 
> > Based on this I think we can rather safely say that the function is not
> > used in Debian and hence the package is not affected.
> 
> Ok, great. So given that others didn't comment (yet) and we both agree
> on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now.
> 
> Let's wait for Security Team's opinion. My recommendation for them would
> be to do the same, given that backporting the fix for CVE-2019-8457 to
> the sqlite3 version in Stretch will be as complex as it is for Jessie.

Ack we will look into it.

> > I think we usually
> > mark it as ignored with a description. An alternative is to mark it as
> > not-affected but I'm not sure whether that should be done in this case
> > since the vulnerability is there, just not triggered. Someone else can
> > maybe help out with that decision.
> 
> Marking it as 'non-affected' would be wrong as the package *is*
> affected. It's just that we consider it a minor vulnerability that we
> ignore for Jessie given that backporting a proper fix would mean very
> invasive code changes.
> 
> @Security Team: do you have a suggestion how to mark cases like this one
> in data/CVE/list? The best probably would be to have a 'no-dla' flag, right?

No there is no additional flag needed for that. Use no-dsa or if you
want to make a stronger annotation that LTS team does not want to
further look at the CVE <ignored>. See
https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory.

Regards,
Salvatore

Reply to:

References:
- Re: Request for help/comments: sqlite3
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Reference nodejs in debian-security-support?
Next by Date: Re: Reference nodejs in debian-security-support?
Previous by thread: Re: Request for help/comments: sqlite3
Next by thread: Re: Request for help/comments: sqlite3
Index(es):
- Date
- Thread