Re: "Magellan" bug in sqlite3

To: debian-security@lists.debian.org
Cc: Hideki Yamane <henrich@iijmio-mail.jp>, Christoph Moench-Tegeder <cmt@burggraben.net>
Subject: Re: "Magellan" bug in sqlite3
From: qmi <lista@miklos.info>
Date: Thu, 20 Dec 2018 22:00:34 +0100
Message-id: <[🔎] 20181220210034.4jdvhqqcdydrgfbh@qmiacer>
Mail-followup-to: qmi <lista@miklos.info>, debian-security@lists.debian.org, Hideki Yamane <henrich@iijmio-mail.jp>, Christoph Moench-Tegeder <cmt@burggraben.net>
In-reply-to: <[🔎] 20181219233623.GA5295@elch.exwg.net>
References: <[🔎] 20181217142025.9b9cee78daeb1d46da1ebad2@iijmio-mail.jp> <[🔎] 20181218223623.atfeor7slcpj2em5@qmiacer> <[🔎] 20181219164036.e5feca2fcc05b07d5f20c2ab@iijmio-mail.jp> <[🔎] 20181219184832.7rbqvie4etxs4h4h@qmiacer> <[🔎] 20181219233623.GA5295@elch.exwg.net>

On Thu, Dec 20, 2018 at 12:36:23AM +0100, Christoph Moench-Tegeder wrote:
> > > > This vulnerability seems to have been already handled. See URL:
> > > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F
> > > 
> > >  No, we should deal with it in stable release, so tracking is important.
> > > 
> > Please check the link above once again.
> 
> Oh well, let's do that, by all means:
> - the description reads "sqlite: info leak" - that's not the remote
>   code execution Tencent has found.
In the Tencent link you can read, 1.'Remote code execution, leaking program
memory or causing program crashes.' and:
2.'Magellan is a number of vulnerabilities that exist in SQLite.' and:
3.'so this vulnerability has a wide range of influence.' and:
4.'We follow the responsible vulnerability disclosure process and will
not disclose the details of the vulnerability in advance... '

The above points 1.2.3.4. might indicate information leakage vulnerability
_as well_.

> I conclude that "TEMP-0566326-9A899F" is not the vulnerability Tencent
> as dubbed "Magellan".
Now we do know yes, after further research which you pointed out. My
answer was originally, '...seems to have been...'. Not affirmative,
but rather guiding.

Until there is no clear information on the issue, you cannot conclude
it 100% sure what it is exactly about and under which CVE/tracker ID
is tracked despite whatever name it is dubbed as.

> In fact, PTS at https://tracker.debian.org/pkg/sqlite3 lists "2 security
> issues in stretch", one of which is "TEMP-0000000-AAC0D0" with description
> ""Magellan" remote code execution vulnerability". That one lists sqlite3
> version 3.26.0 as vulnerable - which, according to all available sources -
> is the fixed version (Tencent: "If your product uses SQLite, please update
> to 3.26.0"). I guess this will need fixing?

This is correct, it looks it needs fixing in stretch/jessie, it is clearly stated. 
Not in sid, though, The correct tracker ID is 
https://security-tracker.debian.org/tracker/TEMP-0000000-AAC0D0 as you stated, 
though, I assume that this has been just added very recently.

Anyway, the point here is not which exact tracker deals with the issue
but to dismiss the false assumption that the reader might have come to,
namely, the security issues are not handled - or to be seen not handled -
properly in Debian Linux.

(... 'CVE is not assigned yet, but we should track and try to fix it.' ... )

Regards,
-- 
qmi | Debian GNU/Linux enthusiast
Email: lista@miklos.info
WWW: http://www.miklos.info
GPG: 3C4B 1364 A379 7366 7FED  260A 2208 F2CE 3FCE A0D3

Reply to:

References:
- "Magellan" bug in sqlite3
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: "Magellan" bug in sqlite3
  - From: qmi <lista@miklos.info>
- Re: "Magellan" bug in sqlite3
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: "Magellan" bug in sqlite3
  - From: qmi <lista@miklos.info>
- Re: "Magellan" bug in sqlite3
  - From: Christoph Moench-Tegeder <cmt@burggraben.net>

Prev by Date: Re: "Magellan" bug in sqlite3
Next by Date: RFC: proposed fix for CVE-2018-19518 in uw-imap
Previous by thread: Re: "Magellan" bug in sqlite3
Next by thread: Re: "Magellan" bug in sqlite3
Index(es):
- Date
- Thread