[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#784021: marked as done (pu: sqlite3/3.8.7.1-1+deb8u1)

Your message dated Sat, 2 May 2015 14:56:46 +0200
with message-id <20150502125646.GA20611@pisco.westfalen.local>
and subject line Re: Bug#784021: pu: sqlite3/3.8.7.1-1+deb8u1
has caused the Debian Bug report #784021,
regarding pu: sqlite3/3.8.7.1-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
784021: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784021
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

There are three security bugs in SQLite3 which needs to be fixed for
Jessie. I've already prepared the update and debdiff is attached.
Security team is in the Cc in case they also working on it or would
like to take over.
In short, vulnerabilities are the following.
CVE-2015-3414 - uninitialized memory denial of service (remote).
CVE-2015-3415 - vdbe.c sqlite3VdbeExec denial of service (remote).
CVE-2015-3415 - printf.c sqlite3VXPrintf buffer overflow (remote).

Regards,
Laszlo/GCS

unblock sqlite3/3.8.7.1-1+deb8u1
[1] http://bugs.debian.org/783968

diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2014-11-06 16:25:11.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog	2015-05-02 08:12:43.000000000 +0000
@@ -1,3 +1,14 @@
+sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
+
+  * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
+    sequences.
+  * Fix CVE-2015-3415 , properly implement comparison operators in
+    sqlite3VdbeExec() .
+  * Fix CVE-2015-3416 , properly handle precision and width values during
+    floating-point conversions in sqlite3VXPrintf() .
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 02 May 2015 07:59:48 +0000
+
 sqlite3 (3.8.7.1-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch
--- sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/40-CVE-2015-3414.patch	2015-05-02 08:27:20.000000000 +0000
@@ -0,0 +1,187 @@
+Description: fix a problem causing collation sequence names to be dequoted multiple times under some circumstances
+ SQLite before 3.8.9 does not properly implement the dequoting of
+ collation-sequence names, which allows context-dependent attackers to cause a
+ denial of service (uninitialized memory access and application crash) or
+ possibly have unspecified other impact via a crafted COLLATE clause, as
+ demonstrated by COLLATE"""""""" at the end of a SELECT statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: Dan Kennedy
+Origin: upstream, https://www.sqlite.org/src/info/eddc05e7bb31fae74daa86e0504a3478b99fa0f2
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/expr.c
++++ sqlite3-3.8.7.1/src/expr.c
+@@ -69,10 +69,11 @@ char sqlite3ExprAffinity(Expr *pExpr){
+ Expr *sqlite3ExprAddCollateToken(
+   Parse *pParse,           /* Parsing context */
+   Expr *pExpr,             /* Add the "COLLATE" clause to this expression */
+-  const Token *pCollName   /* Name of collating sequence */
++  const Token *pCollName,  /* Name of collating sequence */
++  int dequote              /* True to dequote pCollName */
+ ){
+   if( pCollName->n>0 ){
+-    Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, 1);
++    Expr *pNew = sqlite3ExprAlloc(pParse->db, TK_COLLATE, pCollName, dequote);
+     if( pNew ){
+       pNew->pLeft = pExpr;
+       pNew->flags |= EP_Collate|EP_Skip;
+@@ -86,7 +87,7 @@ Expr *sqlite3ExprAddCollateString(Parse
+   assert( zC!=0 );
+   s.z = zC;
+   s.n = sqlite3Strlen30(s.z);
+-  return sqlite3ExprAddCollateToken(pParse, pExpr, &s);
++  return sqlite3ExprAddCollateToken(pParse, pExpr, &s, 0);
+ }
+ 
+ /*
+--- sqlite3-3.8.7.1.orig/src/parse.y
++++ sqlite3-3.8.7.1/src/parse.y
+@@ -854,7 +854,7 @@ expr(A) ::= VARIABLE(X).     {
+   spanSet(&A, &X, &X);
+ }
+ expr(A) ::= expr(E) COLLATE ids(C). {
+-  A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C);
++  A.pExpr = sqlite3ExprAddCollateToken(pParse, E.pExpr, &C, 1);
+   A.zStart = E.zStart;
+   A.zEnd = &C.z[C.n];
+ }
+@@ -1200,14 +1200,14 @@ uniqueflag(A) ::= .        {A = OE_None;
+ idxlist_opt(A) ::= .                         {A = 0;}
+ idxlist_opt(A) ::= LP idxlist(X) RP.         {A = X;}
+ idxlist(A) ::= idxlist(X) COMMA nm(Y) collate(C) sortorder(Z).  {
+-  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C);
++  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1);
+   A = sqlite3ExprListAppend(pParse,X, p);
+   sqlite3ExprListSetName(pParse,A,&Y,1);
+   sqlite3ExprListCheckLength(pParse, A, "index");
+   if( A ) A->a[A->nExpr-1].sortOrder = (u8)Z;
+ }
+ idxlist(A) ::= nm(Y) collate(C) sortorder(Z). {
+-  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C);
++  Expr *p = sqlite3ExprAddCollateToken(pParse, 0, &C, 1);
+   A = sqlite3ExprListAppend(pParse,0, p);
+   sqlite3ExprListSetName(pParse, A, &Y, 1);
+   sqlite3ExprListCheckLength(pParse, A, "index");
+--- sqlite3-3.8.7.1.orig/src/sqliteInt.h
++++ sqlite3-3.8.7.1/src/sqliteInt.h
+@@ -3451,7 +3451,7 @@ int sqlite3ReadSchema(Parse *pParse);
+ CollSeq *sqlite3FindCollSeq(sqlite3*,u8 enc, const char*,int);
+ CollSeq *sqlite3LocateCollSeq(Parse *pParse, const char*zName);
+ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr);
+-Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, const Token*);
++Expr *sqlite3ExprAddCollateToken(Parse *pParse, Expr*, const Token*, int);
+ Expr *sqlite3ExprAddCollateString(Parse*,Expr*,const char*);
+ Expr *sqlite3ExprSkipCollate(Expr*);
+ int sqlite3CheckCollSeq(Parse *, CollSeq *);
+--- sqlite3-3.8.7.1.orig/src/where.c
++++ sqlite3-3.8.7.1/src/where.c
+@@ -1252,7 +1252,7 @@ static void exprAnalyze(
+     Expr *pNewExpr2;
+     int idxNew1;
+     int idxNew2;
+-    Token sCollSeqName;  /* Name of collating sequence */
++    const char *zCollSeqName;     /* Name of collating sequence */
+ 
+     pLeft = pExpr->x.pList->a[1].pExpr;
+     pStr2 = sqlite3ExprDup(db, pStr1, 0);
+@@ -1272,11 +1272,10 @@ static void exprAnalyze(
+       }
+       *pC = c + 1;
+     }
+-    sCollSeqName.z = noCase ? "NOCASE" : "BINARY";
+-    sCollSeqName.n = 6;
++    zCollSeqName = noCase ? "NOCASE" : "BINARY";
+     pNewExpr1 = sqlite3ExprDup(db, pLeft, 0);
+     pNewExpr1 = sqlite3PExpr(pParse, TK_GE, 
+-           sqlite3ExprAddCollateToken(pParse,pNewExpr1,&sCollSeqName),
++           sqlite3ExprAddCollateString(pParse,pNewExpr1,zCollSeqName),
+            pStr1, 0);
+     transferJoinMarkings(pNewExpr1, pExpr);
+     idxNew1 = whereClauseInsert(pWC, pNewExpr1, TERM_VIRTUAL|TERM_DYNAMIC);
+@@ -1284,7 +1283,7 @@ static void exprAnalyze(
+     exprAnalyze(pSrc, pWC, idxNew1);
+     pNewExpr2 = sqlite3ExprDup(db, pLeft, 0);
+     pNewExpr2 = sqlite3PExpr(pParse, TK_LT,
+-           sqlite3ExprAddCollateToken(pParse,pNewExpr2,&sCollSeqName),
++           sqlite3ExprAddCollateString(pParse,pNewExpr2,zCollSeqName),
+            pStr2, 0);
+     transferJoinMarkings(pNewExpr2, pExpr);
+     idxNew2 = whereClauseInsert(pWC, pNewExpr2, TERM_VIRTUAL|TERM_DYNAMIC);
+--- sqlite3-3.8.7.1.orig/test/collate1.test
++++ sqlite3-3.8.7.1/test/collate1.test
+@@ -10,12 +10,12 @@
+ #
+ #***********************************************************************
+ # This file implements regression tests for SQLite library.  The
+-# focus of this script is page cache subsystem.
++# focus of this script is testing collation sequences.
+ #
+-# $Id: collate1.test,v 1.5 2007/02/01 23:02:46 drh Exp $
+ 
+ set testdir [file dirname $argv0]
+ source $testdir/tester.tcl
++set testprefix collate1
+ 
+ #
+ # Tests are roughly organised as follows:
+@@ -333,4 +333,58 @@ do_test collate1-5.3 {
+   }
+ } {1 2}
+ 
++
++
++#-------------------------------------------------------------------------
++# Fix problems with handling collation sequences named '"""'.
++#
++do_execsql_test 6.1 {
++  SELECT """""""";
++} {\"\"\"}
++
++do_catchsql_test 6.2 {
++  CREATE TABLE x1(a);
++  SELECT a FROM x1 ORDER BY a COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++do_catchsql_test 6.3 {
++  SELECT a FROM x1 ORDER BY 1 COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++do_catchsql_test 6.4 {
++  SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE """""""";
++} {1 {no such collation sequence: """}}
++
++db collate {"""} [list string compare -nocase]
++
++do_execsql_test 6.5 {
++  PRAGMA foreign_keys = ON;
++  CREATE TABLE p1(a PRIMARY KEY COLLATE '"""');
++  CREATE TABLE c1(x, y REFERENCES p1);
++} {}
++
++do_execsql_test 6.6 { 
++  INSERT INTO p1 VALUES('abc'); 
++  INSERT INTO c1 VALUES(1, 'ABC'); 
++}
++
++ifcapable foreignkey {
++  do_catchsql_test 6.7 { 
++    DELETE FROM p1 WHERE rowid = 1 
++  } {1 {FOREIGN KEY constraint failed}}
++}
++
++do_execsql_test 6.8 { 
++  INSERT INTO p1 VALUES('abb');
++  INSERT INTO p1 VALUES('wxz');
++  INSERT INTO p1 VALUES('wxy');
++
++  INSERT INTO c1 VALUES(2, 'abb');
++  INSERT INTO c1 VALUES(3, 'wxz');
++  INSERT INTO c1 VALUES(4, 'WXY');
++  SELECT x, y FROM c1 ORDER BY y COLLATE """""""";
++} {2 abb 1 ABC 4 WXY 3 wxz}
++
+ finish_test
++
++
diff -Nru sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch
--- sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/41-CVE-2015-3415.patch	2015-05-02 08:37:38.000000000 +0000
@@ -0,0 +1,41 @@
+Description: ensure that comparison operators do not mess up the MEM_Dyn flag on registers when reverting affinity changes
+ The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not
+ properly implement comparison operators, which allows context-dependent
+ attackers to cause a denial of service (invalid free operation) or possibly
+ have unspecified other impact via a crafted CHECK clause, as demonstrated by
+ CHECK(0&O>O) in a CREATE TABLE statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: D. Richard Hipp
+Origin: upstream, https://www.sqlite.org/src/info/02e3c88fbf6abdcf3975fb0fb71972b0ab30da30
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/vdbe.c
++++ sqlite3-3.8.7.1/src/vdbe.c
+@@ -1905,11 +1905,15 @@ case OP_Ge: {             /* same as TK_
+         testcase( pIn1->flags & MEM_Int );
+         testcase( pIn1->flags & MEM_Real );
+         sqlite3VdbeMemStringify(pIn1, encoding, 1);
++        testcase( (flags1&MEM_Dyn) != (pIn1->flags&MEM_Dyn) );
++        flags1 = (pIn1->flags & ~MEM_TypeMask) | (flags1 & MEM_TypeMask);
+       }
+       if( (pIn3->flags & MEM_Str)==0 && (pIn3->flags & (MEM_Int|MEM_Real))!=0 ){
+         testcase( pIn3->flags & MEM_Int );
+         testcase( pIn3->flags & MEM_Real );
+         sqlite3VdbeMemStringify(pIn3, encoding, 1);
++        testcase( (flags3&MEM_Dyn) != (pIn3->flags&MEM_Dyn) );
++        flags3 = (pIn3->flags & ~MEM_TypeMask) | (flags3 & MEM_TypeMask);
+       }
+     }
+     assert( pOp->p4type==P4_COLLSEQ || pOp->p4.pColl==0 );
+@@ -1946,7 +1950,9 @@ case OP_Ge: {             /* same as TK_
+     }
+   }
+   /* Undo any changes made by applyAffinity() to the input registers. */
++  assert( (pIn1->flags & MEM_Dyn) == (flags1 & MEM_Dyn) );
+   pIn1->flags = flags1;
++  assert( (pIn3->flags & MEM_Dyn) == (flags3 & MEM_Dyn) );
+   pIn3->flags = flags3;
+   break;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch
--- sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/42-CVE-2015-3416.patch	2015-05-02 08:45:43.000000000 +0000
@@ -0,0 +1,49 @@
+Description: guard against excessive width and precision in floating-point conversions in the printf routines
+ The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not
+ properly handle precision and width values during floating-point conversions,
+ which allows context-dependent attackers to cause a denial of service
+ (integer overflow and stack-based buffer overflow) or possibly have
+ unspecified other impact via large integers in a crafted printf function call
+ in a SELECT statement.
+Bug-Debian: https://bugs.debian.org/783968
+Author: D. Richard Hipp
+Origin: upstream, http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920
+Last-Update: 2015-05-02
+
+---
+
+--- sqlite3-3.8.7.1.orig/src/printf.c
++++ sqlite3-3.8.7.1/src/printf.c
+@@ -462,7 +462,7 @@ void sqlite3VXPrintf(
+           else                         prefix = 0;
+         }
+         if( xtype==etGENERIC && precision>0 ) precision--;
+-        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
++        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
+         if( xtype==etFLOAT ) realvalue += rounder;
+         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
+         exp = 0;
+@@ -517,8 +517,9 @@ void sqlite3VXPrintf(
+         }else{
+           e2 = exp;
+         }
+-        if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){
+-          bufpt = zExtra = sqlite3Malloc( MAX(e2,0)+precision+width+15 );
++        if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){
++          bufpt = zExtra 
++              = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 );
+           if( bufpt==0 ){
+             setStrAccumError(pAccum, STRACCUM_NOMEM);
+             return;
+--- sqlite3-3.8.7.1.orig/test/printf.test
++++ sqlite3-3.8.7.1/test/printf.test
+@@ -526,6 +526,9 @@ do_test printf-2.1.2.8 {
+ do_test printf-2.1.2.9 {
+   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
+ } {abc: 1 1 (1e-20) :xyz}
++do_test printf-2.1.2.10 {
++  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
++} {abc: }
+ do_test printf-2.1.3.1 {
+   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
+ } {abc: (1.0) :xyz}
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2014-10-17 16:44:24.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series	2015-05-02 08:45:54.000000000 +0000
@@ -6,3 +6,6 @@
 10-665363-disable-malloc-usable-size.patch
 31-increase_SQLITE_MAX_DEFAULT_PAGE_SIZE_to_32k.patch
 02-use-packaged-lempar.c.patch
+40-CVE-2015-3414.patch
+41-CVE-2015-3415.patch
+42-CVE-2015-3416.patch

--- End Message ---
--- Begin Message --- 
On Sat, May 02, 2015 at 11:24:04AM +0100, Adam D. Barratt wrote:
> user release.debian.org@packages.debian.org
> usertags 784021 = pu
> tags 784021 + moreinfo jessie
> thanks
> 
> On 2015-05-02 10:42, László Böszörményi wrote:
> >Package: release.debian.org
> >Severity: normal
> >User: release.debian.org@packages.debian.org
> >Usertags: unblock
> 
> No. Testing isn't frozen and this is a request for an update to stable;
> fixed. (Oddly you got the tag in the subject (mostly) correct.)
> 
> >There are three security bugs in SQLite3 which needs to be fixed for
> >Jessie. I've already prepared the update and debdiff is attached.
> >Security team is in the Cc in case they also working on it or would
> >like to take over.
> >In short, vulnerabilities are the following.
> >CVE-2015-3414 - uninitialized memory denial of service (remote).
> >CVE-2015-3415 - vdbe.c sqlite3VdbeExec denial of service (remote).
> >CVE-2015-3415 - printf.c sqlite3VXPrintf buffer overflow (remote).
> 
> As none of those are currently tagged no-dsa in the security tracker, I'd
> prefer to wait for confirmation on that. I'd have thought it made more sense
> to talk to them first tbh but never mind. :)

These should go through security.debian.org, I'm closing this bug.

Cheers,
        Moritz

--- End Message ---
Reply to: