[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1083162: bookworm-pu: package sqlite3/3.40.1-2+deb12u1

On Wed, Oct 02, 2024 at 03:41:01PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Wed, Oct 02, 2024 at 04:28:54PM +0300, Adrian Bunk wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bookworm
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: security@debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
> > 
> >   * CVE-2023-7104: Session extension buffer overread
> 
> I guess something is missing here ;).
>...

Thanks for noticing, debdiff is now attached.

> Regards,
> Salvatore

cu
Adrian

diffstat for sqlite3-3.40.1 sqlite3-3.40.1

 changelog                                                               |    7 +
 patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch |   45 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 53 insertions(+)

diff -Nru sqlite3-3.40.1/debian/changelog sqlite3-3.40.1/debian/changelog
--- sqlite3-3.40.1/debian/changelog	2023-03-16 20:54:28.000000000 +0200
+++ sqlite3-3.40.1/debian/changelog	2024-10-02 16:13:48.000000000 +0300
@@ -1,3 +1,10 @@
+sqlite3 (3.40.1-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-7104: Session extension buffer overread
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 02 Oct 2024 16:13:48 +0300
+
 sqlite3 (3.40.1-2) unstable; urgency=medium
 
   [ Cyril Brulebois <cyril@debamax.com> ]
diff -Nru sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
--- sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch	1970-01-01 02:00:00.000000000 +0200
+++ sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch	2024-10-02 16:13:04.000000000 +0300
@@ -0,0 +1,45 @@
+From a13638ed10eff960cebe88554bca48704a66a268 Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: Fix a buffer overread in the sessions extension that could occur when
+ processing a corrupt changeset.
+
+FossilOrigin-Name: 0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
+---
+ ext/session/sqlite3session.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index fd06f3b4d..776797ff2 100644
+--- a/ext/session/sqlite3session.c
++++ b/ext/session/sqlite3session.c
+@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++        if( (pIn->nData-pIn->iNext)<8 ){
++          rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++          sqlite3_int64 v = sessionGetI64(aVal);
++          if( eType==SQLITE_INTEGER ){
++            sqlite3VdbeMemSetInt64(apOut[i], v);
++          }else{
++            double d;
++            memcpy(&d, &v, 8);
++            sqlite3VdbeMemSetDouble(apOut[i], d);
++          }
++          pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.30.2
+
diff -Nru sqlite3-3.40.1/debian/patches/series sqlite3-3.40.1/debian/patches/series
--- sqlite3-3.40.1/debian/patches/series	2022-12-31 10:41:40.000000000 +0200
+++ sqlite3-3.40.1/debian/patches/series	2024-10-02 16:13:48.000000000 +0300
@@ -7,3 +7,4 @@
 32-dynamic_link.patch
 02-use-packaged-lempar.c.patch
 40-amalgamation_configure.patch
+0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
Reply to: