Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi SRMs,
I'd like to fix CVE-2017-10989 in SQLite3 for Jessie, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.
Thanks for considering,
Laszlo/GCS
diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog 2016-08-25 16:10:24.000000000 +0000
+++ sqlite3-3.8.7.1/debian/changelog 2017-10-03 16:13:42.000000000 +0000
@@ -1,3 +1,10 @@
+sqlite3 (3.8.7.1-1+deb8u3) jessie; urgency=medium
+
+ * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree
+ blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Tue, 03 Oct 2017 16:13:42 +0000
+
sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
* Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
diff -Nru sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch 2017-10-03 16:13:42.000000000 +0000
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==================================================================
+--- sqlite3/ext/rtree/rtree.c
++++ sqlite3/ext/rtree/rtree.c
+@@ -3131,10 +3131,14 @@
+ pRtree->zDb, pRtree->zName
+ );
+ rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+ if( rc!=SQLITE_OK ){
+ *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++ }else if( pRtree->iNodeSize<(512-64) ){
++ rc = SQLITE_CORRUPT;
++ *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++ pRtree->zName);
+ }
+ }
+
+ sqlite3_free(zSql);
+ return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==================================================================
+--- sqlite3/ext/rtree/rtreeA.test
++++ sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+ 1 "DELETE FROM t1 WHERE rowid = 5"
+ 2 "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-------------------------------------------------------------------------
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 {
++ UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++ SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+
+
+ finish_test
+
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series 2016-08-25 16:10:24.000000000 +0000
+++ sqlite3-3.8.7.1/debian/patches/series 2017-10-03 16:13:42.000000000 +0000
@@ -13,3 +13,4 @@
46-CVE-2016-6153_part2.patch
47-CVE-2016-6153_part3.patch
50-fix_in-memory_journal.patch
+51-CVE-2017-10989.patch
