Bug#1037542: marked as done (bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 22 Jul 2023 13:19:40 +0000
with message-id <E1qNCWK-005rnn-V3@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1037542,
regarding bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
• From: Pierre Gruet <pgt@debian.org>
• Date: Wed, 14 Jun 2023 00:01:18 +0200
• Message-id: <168669367806.118831.8839248569963209765.reportbug@mendelssohn>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerial-sqlite-jdbc@packages.debian.org
Control: affects -1 + src:xerial-sqlite-jdbc

Dear Release team,

I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.

[ Reason ]
Grave bug #1036706 has been filled a few days before the release of Bookworm.
This is a security bug associated to CVE-2023-32697. Although it has been
marked no-dsa by the security team, we exchanged a few emails and our
conclusion was the fix of this bug, which amounts to cherry-pick one commit of
upstream, should land in Bookworm during a point release.

[ Impact ]
CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
package are mainly used in a single-user environment, but possibly it is also
used in a network environment by some users for their own programs, and this is
where there might be some hazard.

[ Tests ]
The package was built in a Bookworm chroot and its autopkgtest is passing.

[ Risks ]
Code is very simple, only 2 lines are changed. Upstream has published it
three weeks ago and it has issued new upstream versions since then.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
which uses a random UUID instead of the hash of some fixed address in order to
define the DB file name.



Thanks for your help,

Best,

-- 
Pierre

diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-02-04 14:24:45.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-06-13 23:19:59.000000000 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet <pgt@debian.org>  Tue, 13 Jun 2023 23:19:59 +0200
+
 xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	1970-01-01 01:00:00.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	2023-06-13 23:17:23.000000000 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet <pgt@debian.org>
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
++++ b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+         }
+ 
+         String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-        String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++        String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+         File dbFile = new File(tempFolder, dbFileName);
+ 
+         if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-02-02 17:16:53.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-06-13 23:10:58.000000000 +0200
@@ -7,3 +7,4 @@
 skip_OSInfoTest.patch
 tests_without_archunit-junit5_and_some_assertions.patch
 junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch

--- End Message ---

--- Begin Message ---

• To: 1037542-done@bugs.debian.org
• Subject: Released with 12.1
• From: Jonathan Wiltshire <jmw@coccia.debian.org>
• Date: Sat, 22 Jul 2023 13:19:40 +0000
• Message-id: <E1qNCWK-005rnn-V3@coccia.debian.org>

Version: 12.1

The upload requested in this bug has been released as part of 12.1.

--- End Message ---