Incomplete fix for CVE-2019-20218/sqlite3

To: debian-lts@lists.debian.org
Subject: Incomplete fix for CVE-2019-20218/sqlite3
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 8 Dec 2020 14:09:03 +0100
Message-id: <[🔎] 20201208130903.3vakp7jg6olqmxps@inutil.org>

Hi,
CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:

----------------------------------------------------------------
CREATE TABLE v0 (a);
CREATE VIEW v2 (v3) AS WITH x1 AS (SELECT * FROM v2) SELECT v3 AS x, v3 AS y FROM v2;
SELECT * FROM v2;
----------------------------------------------------------------

still trigger an infinite loop. On Buster it correctly bails out:

----------------------------------------------------------------
sqlite> CREATE TABLE v0 (a);
sqlite> CREATE VIEW v2 (v3) AS WITH x1 AS (SELECT * FROM v2) SELECT v3 AS x, v3 AS y FROM v2;
sqlite> SELECT * FROM v2;
Error: view v2 is circularly defined
----------------------------------------------------------------

For the Buster update I also backported 

>From 46a31cdf6b7c1197e01627f91af601479cd99940 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Sat, 9 Nov 2019 14:38:58 +0000
Subject: [PATCH] Make sure the WITH stack in the Parse object is disabled
 following an error.

which seems missing in Stretch. Not sure if that's all or if 3.16 needs other changes
as well, though.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Next by Date: Re: Incomplete fix for CVE-2019-20218/sqlite3
Previous by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by thread: Re: Incomplete fix for CVE-2019-20218/sqlite3
Index(es):
- Date
- Thread