Bug#877640: marked as done (stretch-pu: package sqlite3/3.16.2-5+deb9u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#877640: marked as done (stretch-pu: package sqlite3/3.16.2-5+deb9u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 09 Dec 2017 10:53:02 +0000
Message-id: <[🔎] handler.877640.D877640.151281642013559.ackdone@bugs.debian.org>
Reply-to: 877640@bugs.debian.org
References: <1512816396.1994.30.camel@adam-barratt.org.uk> <1507051416.29571.18.camel@debian.org>

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877640,
regarding stretch-pu: package sqlite3/3.16.2-5+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
877640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877640
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package sqlite3/3.16.2-5+deb9u1
From: "Laszlo Boszormenyi (GCS)" <gcs@debian.org>
Date: Tue, 03 Oct 2017 19:23:36 +0200
Message-id: <1507051416.29571.18.camel@debian.org>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi SRMs,

I'd like to fix CVE-2017-10989 in SQLite3 for Stretch, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.

Thanks for considering,
Laszlo/GCS

diff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog	2017-06-08 22:07:42.000000000 +0000
+++ sqlite3-3.16.2/debian/changelog	2017-10-03 16:13:44.000000000 +0000
@@ -1,3 +1,10 @@
+sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree 
+    blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 03 Oct 2017 16:13:44 +0000
+
 sqlite3 (3.16.2-5) unstable; urgency=medium
 
   * Backport fix for corruption due to REPLACE in an auto-vacuumed database.
diff -Nru sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	2017-10-03 16:13:44.000000000 +0000
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==================================================================
+--- sqlite3/ext/rtree/rtree.c
++++ sqlite3/ext/rtree/rtree.c
+@@ -3207,10 +3207,14 @@
+         pRtree->zDb, pRtree->zName
+     );
+     rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+     if( rc!=SQLITE_OK ){
+       *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++    }else if( pRtree->iNodeSize<(512-64) ){
++      rc = SQLITE_CORRUPT;
++      *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++                               pRtree->zName);
+     }
+   }
+ 
+   sqlite3_free(zSql);
+   return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==================================================================
+--- sqlite3/ext/rtree/rtreeA.test
++++ sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+   1   "DELETE FROM t1 WHERE rowid = 5"
+   2   "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-------------------------------------------------------------------------
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 { 
++  UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++  SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+ 
+ 
+ finish_test
+
diff -Nru sqlite3-3.16.2/debian/patches/series sqlite3-3.16.2/debian/patches/series
--- sqlite3-3.16.2/debian/patches/series	2017-06-08 22:07:42.000000000 +0000
+++ sqlite3-3.16.2/debian/patches/series	2017-10-03 16:13:44.000000000 +0000
@@ -13,3 +13,4 @@
 42-JSON-2_2.patch
 43-JSON-3.patch
 50-REPLACE_corruption_fix.patch
+51-CVE-2017-10989.patch

--- End Message ---

--- Begin Message ---

To: 864297-done@bugs.debian.org, 865986-done@bugs.debian.org, 866615-done@bugs.debian.org, 873332-done@bugs.debian.org, 873754-done@bugs.debian.org, 874254-done@bugs.debian.org, 875994-done@bugs.debian.org, 876527-done@bugs.debian.org, 876706-done@bugs.debian.org, 877043-done@bugs.debian.org, 877342-done@bugs.debian.org, 877366-done@bugs.debian.org, 877403-done@bugs.debian.org, 877420-done@bugs.debian.org, 877503-done@bugs.debian.org, 877627-done@bugs.debian.org, 877640-done@bugs.debian.org, 877722-done@bugs.debian.org, 877937-done@bugs.debian.org, 878173-done@bugs.debian.org, 878576-done@bugs.debian.org, 878668-done@bugs.debian.org, 878685-done@bugs.debian.org, 878996-done@bugs.debian.org, 879081-done@bugs.debian.org, 879215-done@bugs.debian.org, 879599-done@bugs.debian.org, 879629-done@bugs.debian.org, 879702-done@bugs.debian.org, 879773-done@bugs.debian.org, 879850-done@bugs.debian.org, 880020-done@bugs.debian.org, 880439-done@bugs.debian.org, 880862-done@bugs.debian.org, 880896-done@bugs.debian.org, 881415-done@bugs.debian.org, 881900-done@bugs.debian.org, 882068-done@bugs.debian.org, 882194-done@bugs.debian.org, 882219-done@bugs.debian.org, 882228-done@bugs.debian.org, 882493-done@bugs.debian.org, 882621-done@bugs.debian.org, 882649-done@bugs.debian.org, 882714-done@bugs.debian.org, 882724-done@bugs.debian.org, 882829-done@bugs.debian.org, 882831-done@bugs.debian.org, 882832-done@bugs.debian.org, 882834-done@bugs.debian.org, 882836-done@bugs.debian.org, 882837-done@bugs.debian.org, 882856-done@bugs.debian.org, 882861-done@bugs.debian.org, 882863-done@bugs.debian.org, 882869-done@bugs.debian.org, 882958-done@bugs.debian.org, 882959-done@bugs.debian.org, 883176-done@bugs.debian.org, 883332-done@bugs.debian.org, 883344-done@bugs.debian.org, 882391-done@bugs.debian.org, 883071-done@bugs.debian.org

Subject: Closing bugs for updates included in stretch point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 09 Dec 2017 10:46:36 +0000

Message-id: <1512816396.1994.30.camel@adam-barratt.org.uk>
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#877403: marked as done (stretch-pu: package dbus/1.10.24-0+deb9u1)
Next by Date: Bug#877342: marked as done (stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1)
Previous by thread: Bug#877403: marked as done (stretch-pu: package dbus/1.10.24-0+deb9u1)
Next by thread: Bug#877342: marked as done (stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1)
Index(es):
- Date
- Thread