Re: Inquiry on Bullseye and https://security-tracker.debian.org/tracker/CVE-2019-8457

To: debian-security@lists.debian.org
Cc: christopher.m.penalver@gmail.com, ondrej@sury.org
Subject: Re: Inquiry on Bullseye and https://security-tracker.debian.org/tracker/CVE-2019-8457
From: Ángel <debian-security@debian.16bits.net>
Date: Sun, 04 Sep 2022 02:20:02 +0200
Message-id: <[🔎] 9e9c558d3b90078c946f6bbddab99c05ce23ce47.camel@debian.16bits.net>
In-reply-to: <7920faf4-8ad1-4e2d-25fe-a315039c4bbe@gmail.com>
References: <7920faf4-8ad1-4e2d-25fe-a315039c4bbe@gmail.com>

On 2022-08-26 at 05:02 -0400, Chris Penalver wrote:
> Hi Debian Security Team,
> 
> I am inquiring on Debian Bullseye as it relates to:
> 
> https://security-tracker.debian.org/tracker/CVE-2019-8457
> 
> Specifically, it is noted the team has put in a good faith effort in 
> analyzing the feasibility of backporting relevant patches to
> Bullseye, and classifying the urgency of such effort. My read of this
> so far is that it's a debug mode only exposure, normally disabled in
> production (by default).

No. My reading of Ola mail [1] is that the function is not called at
all in the package. So, unless you recompiled the affected package
ading a call to sqlite3_rtree_init you are not affected, even if the
vulnerable code is there as dead code.

> With that said, for those environment who are using Bullseye, outside
> of the amount of changes required for the backport, is there any
> technical 'gotchas' or further advice the team could provide for
> those who are considering a self-maintain of relevant patches from
> bookworm / sid into Bullseye while the discussion continues on this?

The bug in db5.3 was fixed in 5.3.28+dfsg1-0.9 [2] with patch [3] over
the same version which is present in bullseye:

bullseye is in db5.3 5.3.28+dfsg1-0.8
bookworm is in db5.3 5.3.28+dfsg1-0.10

The latest is not suitable due to the changes in -0.10 but I think 5.3.
28+dfsg1-0.9 can go to bullseye, or at least on the 11.6 point release
(I think it may already be too late for 11.5, scheduled for 
Sep 11th)

It's arguable if one should provide a security update for an issue on a
function which is never-called, but in that case I think CVE-2019-8457
should have been marked as non-affected instead of vulnerable (and as
Jonas pointed out the *source* package *is* vulnerable)

Anyway, I wouldn't complicate with the schrödingerness of the
vulnerability and just ship a fixed package with the available patch,
equivalent to -0.9. Worst case, a patch changing a dead function is not
going to break anything, and the vulnerability can be safely declared
as fixed in bullseye, for everybody's peace of mind (you are not the
only one who would be interested in a backport, see #1010974).

I'm not sure who would be uploading it, though. Probably Ondrej
(although the Debian Berkeley DB packages have been put for adoption) o
r someone else from the security team. Should be simple enough, but
still needs someone to do it.

Regards

1- https://lists.debian.org/debian-lts/2019/06/msg00036.html
2- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010974
3- 
https://sources.debian.org/patches/db5.3/5.3.28+dfsg1-0.10/CVE-2019-8457.patch/

Reply to:

Next by Date: Vulnerability in pcs or is it in more generic code?
Next by thread: Vulnerability in pcs or is it in more generic code?
Index(es):
- Date
- Thread