[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#784021: pu: sqlite3/3.8.7.1-1+deb8u1



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

There are three security bugs in SQLite3 which needs to be fixed for
Jessie. I've already prepared the update and debdiff is attached.
Security team is in the Cc in case they also working on it or would
like to take over.
In short, vulnerabilities are the following.
CVE-2015-3414 - uninitialized memory denial of service (remote).
CVE-2015-3415 - vdbe.c sqlite3VdbeExec denial of service (remote).
CVE-2015-3415 - printf.c sqlite3VXPrintf buffer overflow (remote).

Regards,
Laszlo/GCS

unblock sqlite3/3.8.7.1-1+deb8u1
[1] http://bugs.debian.org/783968
diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2014-11-06 16:25:11.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog	2015-05-02 08:12:43.000000000 +0000
@@ -1,3 +1,14 @@
+sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
+
+  * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
+    sequences.
+  * Fix CVE-2015-3415 , properly implement comparison operators in
+    sqlite3VdbeExec() .
+  * Fix CVE-2015-3416 , properly handle precision and width values during
+    floating-point conversions in sqlite3VXPrintf() .
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 02 May 2015 07:59:48 +0000
+
 sqlite3 (3.8.7.1-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch
--- sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch	2015-05-02 08:27:20.000000000 +0000
@@ -0,0 +1,187 @@
+Description: fix a problem causing collation sequence names to be dequoted multiple times under some circumstances
+ SQLite before 3.8.9 does not properly implement the dequoting of
+ collation-sequence names, which allows context-dependent attackers to cause a
+ denial of service (uninitialized memory access and application crash) or
+ possibly have unspecified other impact via a crafted COLLATE clause, as
+ demonstrated by COLLATE"""""""" at the end of a SELECT statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: Dan Kennedy
+Origin: upstream, https://www.sqlite.org/src/info/eddc05e7bb31fae74daa86e0504a3478b99fa0f2
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/expr.c
++++ sqlite3-3.8.7.1/src/expr.c
+@@ -69,10 +69,11 @@ char sqlite3ExprAffinity(Expr *pExpr){
+ Expr *sqlite3ExprAddCollateToken(
+   Parse *pParse,           /* Parsing context */
+   Expr *pExpr,             /* Add the "COLLATE" clause to this expression */
+-  const Token *pCollName   /* Name of collating sequence */
++  const Token *pCollName,  /* Name of collating sequence */
++  int dequote              /* True to dequote pCollName */
+ ){
+   if( pCollName->n>0 ){
+-    Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, 1);
++    Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, dequote);
+     if( pNew ){
+       pNew->pLeft = pExpr;
+       pNew->flags |= EP_Collate|EP_Skip;
+@@ -86,7 +87,7 @@ Expr *sqlite3ExprAddCollateString(Parse
+   assert( zC!=0 );
+   s.z = zC;
+   s.n = sqlite3Strlen30(s.z);
+-  return sqlite3ExprAddCollateToken(pParse, pExpr, &s);
++  return sqlite3ExprAddCollateToken(pParse, pExpr, &s, 0);
+ }
+ 
+ /*
+--- sqlite3-3.8.7.1.orig/src/parse.y
++++ sqlite3-3.8.7.1/src/parse.y
+@@ -854,7 +854,7 @@ expr(A) ::= VARIABLE(X).     {
+   spanSet(&A, &X, &X);
+ }
+ expr(A) ::= expr(E) COLLATE ids(C). {
+-  A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C);
++  A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C, 1);
+   A.zStart = E.zStart;
+   A.zEnd = &C.z[C.n];
+ }
+@@ -1200,14 +1200,14 @@ uniqueflag(A) ::= .        {A = OE_None;
+ idxlist_opt(A) ::= .                         {A = 0;}
+ idxlist_opt(A) ::= LP idxlist(X) RP.         {A = X;}
+ idxlist(A) ::= idxlist(X) COMMA nm(Y) collate(C) sortorder(Z).  {
+-  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C);
++  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1);
+   A = sqlite3ExprListAppend(pParse,X, p);
+   sqlite3ExprListSetName(pParse,A,&Y,1);
+   sqlite3ExprListCheckLength(pParse, A, "index");
+   if( A ) A->a[A->nExpr-1].sortOrder = (u8)Z;
+ }
+ idxlist(A) ::= nm(Y) collate(C) sortorder(Z). {
+-  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C);
++  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1);
+   A = sqlite3ExprListAppend(pParse,0, p);
+   sqlite3ExprListSetName(pParse, A, &Y, 1);
+   sqlite3ExprListCheckLength(pParse, A, "index");
+--- sqlite3-3.8.7.1.orig/src/sqliteInt.h
++++ sqlite3-3.8.7.1/src/sqliteInt.h
+@@ -3451,7 +3451,7 @@ int sqlite3ReadSchema(Parse *pParse);
+ CollSeq *sqlite3FindCollSeq(sqlite3*,u8 enc, const char*,int);
+ CollSeq *sqlite3LocateCollSeq(Parse *pParse, const char*zName);
+ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr);
+-Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, const Token*);
++Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, const Token*, int);
+ Expr *sqlite3ExprAddCollateString(Parse*,Expr*,const char*);
+ Expr *sqlite3ExprSkipCollate(Expr*);
+ int sqlite3CheckCollSeq(Parse *, CollSeq *);
+--- sqlite3-3.8.7.1.orig/src/where.c
++++ sqlite3-3.8.7.1/src/where.c
+@@ -1252,7 +1252,7 @@ static void exprAnalyze(
+     Expr *pNewExpr2;
+     int idxNew1;
+     int idxNew2;
+-    Token sCollSeqName;  /* Name of collating sequence */
++    const char *zCollSeqName;     /* Name of collating sequence */
+ 
+     pLeft = pExpr->x.pList->a[1].pExpr;
+     pStr2 = sqlite3ExprDup(db, pStr1, 0);
+@@ -1272,11 +1272,10 @@ static void exprAnalyze(
+       }
+       *pC = c + 1;
+     }
+-    sCollSeqName.z = noCase ? "NOCASE" : "BINARY";
+-    sCollSeqName.n = 6;
++    zCollSeqName = noCase ? "NOCASE" : "BINARY";
+     pNewExpr1 = sqlite3ExprDup(db, pLeft, 0);
+     pNewExpr1 = sqlite3PExpr(pParse, TK_GE, 
+-           sqlite3ExprAddCollateToken(pParse,pNewExpr1,&sCollSeqName),
++           sqlite3ExprAddCollateString(pParse,pNewExpr1,zCollSeqName),
+            pStr1, 0);
+     transferJoinMarkings(pNewExpr1, pExpr);
+     idxNew1 = whereClauseInsert(pWC, pNewExpr1, TERM_VIRTUAL|TERM_DYNAMIC);
+@@ -1284,7 +1283,7 @@ static void exprAnalyze(
+     exprAnalyze(pSrc, pWC, idxNew1);
+     pNewExpr2 = sqlite3ExprDup(db, pLeft, 0);
+     pNewExpr2 = sqlite3PExpr(pParse, TK_LT,
+-           sqlite3ExprAddCollateToken(pParse,pNewExpr2,&sCollSeqName),
++           sqlite3ExprAddCollateString(pParse,pNewExpr2,zCollSeqName),
+            pStr2, 0);
+     transferJoinMarkings(pNewExpr2, pExpr);
+     idxNew2 = whereClauseInsert(pWC, pNewExpr2, TERM_VIRTUAL|TERM_DYNAMIC);
+--- sqlite3-3.8.7.1.orig/test/collate1.test
++++ sqlite3-3.8.7.1/test/collate1.test
+@@ -10,12 +10,12 @@
+ #
+ #***********************************************************************
+ # This file implements regression tests for SQLite library.  The
+-# focus of this script is page cache subsystem.
++# focus of this script is testing collation sequences.
+ #
+-# $Id: collate1.test,v 1.5 2007/02/01 23:02:46 drh Exp $
+ 
+ set testdir [file dirname $argv0]
+ source $testdir/tester.tcl
++set testprefix collate1
+ 
+ #
+ # Tests are roughly organised as follows:
+@@ -333,4 +333,58 @@ do_test collate1-5.3 {
+   }
+ } {1 2}
+ 
++
++
++#-------------------------------------------------------------------------
++# Fix problems with handling collation sequences named '"""'.
++#
++do_execsql_test 6.1 {
++  SELECT """""""";
++} {\"\"\"}
++
++do_catchsql_test 6.2 {
++  CREATE TABLE x1(a);
++  SELECT a FROM x1 ORDER BY a COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++do_catchsql_test 6.3 {
++  SELECT a FROM x1 ORDER BY 1 COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++do_catchsql_test 6.4 {
++  SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++db collate {"""} [list string compare -nocase]
++
++do_execsql_test 6.5 {
++  PRAGMA foreign_keys = ON;
++  CREATE TABLE p1(a PRIMARY KEY COLLATE '"""');
++  CREATE TABLE c1(x, y REFERENCES p1);
++} {}
++
++do_execsql_test 6.6 { 
++  INSERT INTO p1 VALUES('abc'); 
++  INSERT INTO c1 VALUES(1, 'ABC'); 
++}
++
++ifcapable foreignkey {
++  do_catchsql_test 6.7 { 
++    DELETE FROM p1 WHERE rowid = 1 
++  } {1 {FOREIGN KEY constraint failed}}
++}
++
++do_execsql_test 6.8 { 
++  INSERT INTO p1 VALUES('abb');
++  INSERT INTO p1 VALUES('wxz');
++  INSERT INTO p1 VALUES('wxy');
++
++  INSERT INTO c1 VALUES(2, 'abb');
++  INSERT INTO c1 VALUES(3, 'wxz');
++  INSERT INTO c1 VALUES(4, 'WXY');
++  SELECT x, y FROM c1 ORDER BY y COLLATE """""""";
++} {2 abb 1 ABC 4 WXY 3 wxz}
++
+ finish_test
++
++
diff -Nru sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch
--- sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch	2015-05-02 08:37:38.000000000 +0000
@@ -0,0 +1,41 @@
+Description: ensure that comparison operators do not mess up the MEM_Dyn flag on registers when reverting affinity changes
+ The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not
+ properly implement comparison operators, which allows context-dependent
+ attackers to cause a denial of service (invalid free operation) or possibly
+ have unspecified other impact via a crafted CHECK clause, as demonstrated by
+ CHECK(0&O>O) in a CREATE TABLE statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: D. Richard Hipp
+Origin: upstream, https://www.sqlite.org/src/info/02e3c88fbf6abdcf3975fb0fb71972b0ab30da30
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/vdbe.c
++++ sqlite3-3.8.7.1/src/vdbe.c
+@@ -1905,11 +1905,15 @@ case OP_Ge: {             /* same as TK_
+         testcase( pIn1->flags & MEM_Int );
+         testcase( pIn1->flags & MEM_Real );
+         sqlite3VdbeMemStringify(pIn1, encoding, 1);
++        testcase( (flags1&MEM_Dyn) != (pIn1->flags&MEM_Dyn) );
++        flags1 = (pIn1->flags & ~MEM_TypeMask) | (flags1 & MEM_TypeMask);
+       }
+       if( (pIn3->flags & MEM_Str)==0 && (pIn3->flags & (MEM_Int|MEM_Real))!=0 ){
+         testcase( pIn3->flags & MEM_Int );
+         testcase( pIn3->flags & MEM_Real );
+         sqlite3VdbeMemStringify(pIn3, encoding, 1);
++        testcase( (flags3&MEM_Dyn) != (pIn3->flags&MEM_Dyn) );
++        flags3 = (pIn3->flags & ~MEM_TypeMask) | (flags3 & MEM_TypeMask);
+       }
+     }
+     assert( pOp->p4type==P4_COLLSEQ || pOp->p4.pColl==0 );
+@@ -1946,7 +1950,9 @@ case OP_Ge: {             /* same as TK_
+     }
+   }
+   /* Undo any changes made by applyAffinity() to the input registers. */
++  assert( (pIn1->flags & MEM_Dyn) == (flags1 & MEM_Dyn) );
+   pIn1->flags = flags1;
++  assert( (pIn3->flags & MEM_Dyn) == (flags3 & MEM_Dyn) );
+   pIn3->flags = flags3;
+   break;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch
--- sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch	2015-05-02 08:45:43.000000000 +0000
@@ -0,0 +1,49 @@
+Description: guard against excessive width and precision in floating-point conversions in the printf routines
+ The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not
+ properly handle precision and width values during floating-point conversions,
+ which allows context-dependent attackers to cause a denial of service
+ (integer overflow and stack-based buffer overflow) or possibly have
+ unspecified other impact via large integers in a crafted printf function call
+ in a SELECT statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: D. Richard Hipp
+Origin: upstream, http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/printf.c
++++ sqlite3-3.8.7.1/src/printf.c
+@@ -462,7 +462,7 @@ void sqlite3VXPrintf(
+           else                         prefix = 0;
+         }
+         if( xtype==etGENERIC && precision>0 ) precision--;
+-        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
++        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
+         if( xtype==etFLOAT ) realvalue += rounder;
+         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
+         exp = 0;
+@@ -517,8 +517,9 @@ void sqlite3VXPrintf(
+         }else{
+           e2 = exp;
+         }
+-        if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){
+-          bufpt = zExtra = sqlite3Malloc( MAX(e2,0)+precision+width+15 );
++        if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){
++          bufpt = zExtra 
++              = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 );
+           if( bufpt==0 ){
+             setStrAccumError(pAccum, STRACCUM_NOMEM);
+             return;
+--- sqlite3-3.8.7.1.orig/test/printf.test
++++ sqlite3-3.8.7.1/test/printf.test
+@@ -526,6 +526,9 @@ do_test printf-2.1.2.8 {
+ do_test printf-2.1.2.9 {
+   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
+ } {abc: 1 1 (1e-20) :xyz}
++do_test printf-2.1.2.10 {
++  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
++} {abc: }
+ do_test printf-2.1.3.1 {
+   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
+ } {abc: (1.0) :xyz}
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2014-10-17 16:44:24.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series	2015-05-02 08:45:54.000000000 +0000
@@ -6,3 +6,6 @@
 10-665363-disable-malloc-usable-size.patch
 31-increase_SQLITE_MAX_DEFAULT_PAGE_SIZE_to_32k.patch
 02-use-packaged-lempar.c.patch
+40-CVE-2015-3414.patch
+41-CVE-2015-3415.patch
+42-CVE-2015-3416.patch

Reply to: