Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1

To: Pierre Gruet <pgt@debian.org>, 1037542@bugs.debian.org
Subject: Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 15 Jun 2023 07:21:21 +0200
Message-id: <ZIqf0Rd0IAGc7jV/@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1037542@bugs.debian.org
In-reply-to: <[🔎] 168669367806.118831.8839248569963209765.reportbug@mendelssohn>
References: <[🔎] 168669367806.118831.8839248569963209765.reportbug@mendelssohn> <[🔎] 168669367806.118831.8839248569963209765.reportbug@mendelssohn>

Hi Pierre,

On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: xerial-sqlite-jdbc@packages.debian.org
> Control: affects -1 + src:xerial-sqlite-jdbc
> 
> Dear Release team,
> 
> I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
> 
> [ Reason ]
> Grave bug #1036706 has been filled a few days before the release of Bookworm.
> This is a security bug associated to CVE-2023-32697. Although it has been
> marked no-dsa by the security team, we exchanged a few emails and our
> conclusion was the fix of this bug, which amounts to cherry-pick one commit of
> upstream, should land in Bookworm during a point release.
> 
> [ Impact ]
> CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
> package are mainly used in a single-user environment, but possibly it is also
> used in a network environment by some users for their own programs, and this is
> where there might be some hazard.
> 
> [ Tests ]
> The package was built in a Bookworm chroot and its autopkgtest is passing.
> 
> [ Risks ]
> Code is very simple, only 2 lines are changed. Upstream has published it
> three weeks ago and it has issued new upstream versions since then.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
> which uses a random UUID instead of the hash of some fixed address in order to
> define the DB file name.
> 
> 
> 
> Thanks for your help,
> 
> Best,
> 
> -- 
> Pierre

> diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
> --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-02-04 14:24:45.000000000 +0100
> +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-06-13 23:19:59.000000000 +0200
> @@ -1,3 +1,9 @@
> +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
> +
> +  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
> +
> + -- Pierre Gruet <pgt@debian.org>  Tue, 13 Jun 2023 23:19:59 +0200

Can you as well add the Debian bug closer for #1036706 here?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
  - From: Pierre Gruet <pgt@debian.org>

References:
- Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
  - From: Pierre Gruet <pgt@debian.org>

Prev by Date: Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Next by Date: Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Previous by thread: Processed: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Next by thread: Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Index(es):
- Date
- Thread