bug#33751: SQLite "Magellan" vulnerability

Marius Bakke Fri, 14 Dec 2018 16:20:09 -0800

Hello!

There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.


I think it is safe to graft 3.26.0 in-place:

$ abidiff 
/gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so 
/gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
  Functions changes summary: 0 Removed, 0 Changed, 0 Added function             
                    
  Variables changes summary: 0 Removed, 0 Changed, 0 Added variable             
                    
  Function symbols changes summary: 0 Removed, 1 Added function symbol not 
referenced by debug info 
  Variable symbols changes summary: 0 Removed, 0 Added variable symbol not 
referenced by debug info 

  1 Added function symbol not referenced by debug info:                         
                    

    sqlite3_create_window_function

...but I have not tested this.  It's difficult to tell which patches to
apply without knowing more details of the vulnerability.

I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a.  Can we start this on
Berlin concurrently?  Patches attached.

From 5556ad7f65ea1f76e1eb5f0403aa1bd2028dbe61 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mba...@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:16 +0100
Subject: [PATCH 1/2] gnu: SQLite: Update to 3.26.0.

* gnu/packages/databases.scm (sqlite): Update to 3.26.0.
---
 gnu/packages/databases.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451ed..a3848dee8e 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1183,7 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.24.0")
+   (version "3.26.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1199,7 +1199,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
+              "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
-- 
2.20.0

From ac25a7202682f7f8dcd64a4b3643a92c3458fcfe Mon Sep 17 00:00:00 2001
From: Marius Bakke <mba...@fastmail.com>
Date: Sat, 15 Dec 2018 00:31:37 +0100
Subject: [PATCH 2/2] gnu: SQLite: Add static output.

* gnu/packages/databases.scm (sqlite)[arguments]: Add phase 'move-static-library'.
[outputs]: New field.
---
 gnu/packages/databases.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index a3848dee8e..148b77882f 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1209,7 +1209,22 @@ changes.")
       ;; to use the system SQLite unless these options are enabled.
       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
-                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
+                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (rename-file (string-append out "/lib/libsqlite3.a")
+                                    (string-append static "/lib/libsqlite3.a"))
+                       ;; Remove reference to the static library from the .la file
+                       ;; so Libtool does the right thing when both the shared and
+                       ;; static library is available.
+                       (substitute* (string-append out "/lib/libsqlite3.la")
+                         (("^old_library='libsqlite3.a'") "old_library=''"))
+                       #t))))))
+   (outputs '("out" "static"))
    (home-page "https://www.sqlite.org/";)
    (synopsis "The SQLite database management system")
    (description
-- 
2.20.0

signature.asc
Description: PGP signature

bug#33751: SQLite "Magellan" vulnerability

Reply via email to