Hi Salvatore, Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit :
Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
[...]
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.000000000 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.000000000 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet <pgt@debian.org> Tue, 13 Jun 2023 23:19:59 +0200Can you as well add the Debian bug closer for #1036706 here?
Thanks for looking at my diff. I admit I had not considered closing the bug here since it has already been declared as closed by the upload to unstable, I would have issued a BTS command after this proposal hits bookworm.
Anyway, thanks for educating me on this.Enclosed is the new source debdiff, everything else in the original message of this bug thread remains unchanged.
Regards, Salvatore
Best, -- Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.000000000 +0200
@@ -1,3 +1,10 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm,
+ Closes: #1036706)
+
+ -- Pierre Gruet <pgt@debian.org> Tue, 13 Jun 2023 23:19:59 +0200
+
xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
* New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.000000000 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet <pgt@debian.org>
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
++++ b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+
+ String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+- String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++ String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.000000000 +0200
@@ -7,3 +7,4 @@
skip_OSInfoTest.patch
tests_without_archunit-junit5_and_some_assertions.patch
junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature