The state of fix for CVE-2019-8457 (especially as concerns db5.3)

To: debian-lts@lists.debian.org
Cc: team@security.debian.org
Subject: The state of fix for CVE-2019-8457 (especially as concerns db5.3)
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 3 Jun 2023 09:44:32 -0400
Message-id: <ZHtDwM3eIOreQG/G@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, team@security.debian.org

Hello Everyone,

I have been (re-)investigating CVE-2019-8457 (previously investigated by
Jonas [0] and Ola [1]).

I am including the Security Team in the CC as the state of this CVE
related to db5.3 in stable/testing/unstable is part of the discussion.

In my investigation of this CVE, I came to concur with the initial
triage decisions made by Salvatore (04f9f1dd86d6) and Markus
(aed48caf3603) marking the issue as no-dsa/minor for db5.3 in bullseye,
buster, and stretch.

However, it seems that in #1010974 the CVE was identified as fixed in
db5.3/5.3.28+dfsg1-0.9. Yet, when I investigated the corresponding
Debian source package, it seems that the fix was misapplied.

First, it seems that the sqlite code is embedded in db5.3 *twice*. It
appears once as a properly structured source tree under lang/sql/sqlite.
It also appears again with what appears to be all of the sqlite3 code
merged into a single source file at lang/sql/generated/sqlite3.c. The
version of sqlite3 which is embedded (in both instances) is ancient,
being version 3.7.6.2. For reference, the upstream version of sqlite
that jessie shipped with was 3.8.7.1.

When the CVE-2019-8457 patch was added to db5.3/5.3.28+dfsg1-0.9, the
file that was patched was lang/sql/sqlite/ext/rtree/rtree.c (based on
the original patch from sqlite3 patching the file ext/rtree/rtree.c).
However, in reviewing a recent buildd log [2] I am unable to find any
evidence that the file ext/rtree/rtree.c is ever actually built. The
file lang/sql/generated/sqlite3.c, however, is built but it is never
patched.

In fact, the patch which was applied to
lang/sql/sqlite/ext/rtree/rtree.c to supposedly to fix CVE-2019-8457
will not compile. One way to know this is that the patch adds calls to
the function sqlite3_str_appendf(), which appears nowhere in the code
base apart from the CVE-2019-8457 patch file. Jonas' original
observation that this patch requires major backporting work to be
functional on older versions of sqlite3 would imply that this patch is
actually broken/ineffective.

Additionally, as obseved by Jonas in his initial investigation, the
affected function does not seem to be referenced anywhere at all in any
Debian code.

Based on the above, I recommend the following actions to the Security
Team:

- remove the db5.3/5.3.28+dfsg1-0.9 fix-version from #1010974
- re-triage CVE-2019-8457 (for db5.3 in bullseye) as:
  <ignored> (vulnerable code is present but unused in Debian, and fix is
  too risky to backport)

====================

The remainder of the discussion below here is specific to LTS/ELTS and
the Security Team can safely ignore what follows.

Based on the above findings, I have updated the triage of CVE-2019-8457
as follows:

diff --git a/data/CVE/list b/data/CVE/list
index b67a819a..e029bf25 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -298717,11 +298717,11 @@ CVE-2019-8458 (Check Point Endpoint Security Client for Windows, with Anti-Malwa
 CVE-2019-8457 (SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-o ...)
        - db5.3 5.3.28+dfsg1-0.9 (bug #1010974)
        [bullseye] - db5.3 <no-dsa> (Minor issue)
-       [buster] - db5.3 <no-dsa> (Minor issue)
-       [stretch] - db5.3 <no-dsa> (Minor issue)
+       [buster] - db5.3 <ignored> (vulnerable code is present but unused in Debian, and fix is too risky to backport)
+       [stretch] - db5.3 <ignored> (vulnerable code is present but unused in Debian, and fix is too risky to backport)
        - sqlite3 3.27.2-3 (bug #929775)
-       [stretch] - sqlite3 <no-dsa> (Minor issue; can be fixed via point release)
-       [jessie] - sqlite3 <no-dsa> (Minor issue)
+       [stretch] - sqlite3 <ignored> (vulnerable code is present but unused in Debian, and fix is too risky to backport)
+       [jessie] - sqlite3 <ignored> (vulnerable code is present but unused in Debian, and fix is too risky to backport)
        - sqlite <not-affected> (rtree extension not present in v2)
        NOTE: Fixed by: https://www.sqlite.org/src/info/90acdbfce9c08858
        NOTE: Make the internal dynamic string interface available to extensions:

diff --git a/data/CVE-EXTENDED-LTS/list b/data/CVE-EXTENDED-LTS/list
index a7cfc5813f..f6f0e19617 100644
--- a/data/CVE-EXTENDED-LTS/list
+++ b/data/CVE-EXTENDED-LTS/list
@@ -3624,7 +3624,7 @@ CVE-2019-8428
 CVE-2019-8429
        [wheezy] - zoneminder <end-of-life>
 CVE-2019-8457
-       [jessie] - db5.3 <no-dsa> (Minor issue)
+       [jessie] - db5.3 <ignored> (vulnerable code is present but unused in Debian, and fix is too risky to backport)
 CVE-2019-8842
        [wheezy] - cups <end-of-life>
 CVE-2019-8904

If anyone has any objections or comments, please speak up.

Regards,

-Roberto

[0] https://lists.debian.org/debian-lts/2019/06/msg00013.html
[1] https://lists.debian.org/debian-lts/2019/06/msg00036.html
[2] https://buildd.debian.org/status/fetch.php?pkg=db5.3&arch=amd64&ver=5.3.28%2Bdfsg2-1&stamp=1674044225&raw=0

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: Make stable-security build logs public after embargo
Next by Date: Re: Error in firmware-realtek
Previous by thread: Re: Error in firmware-realtek
Next by thread: (E)LTS report for May 2023
Index(es):
- Date
- Thread