Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi SRMs,
I'd like to fix CVE-2017-10989 in SQLite3 for Stretch, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.
Thanks for considering,
Laszlo/GCS
diff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog 2017-06-08 22:07:42.000000000 +0000
+++ sqlite3-3.16.2/debian/changelog 2017-10-03 16:13:44.000000000 +0000
@@ -1,3 +1,10 @@
+sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree
+ blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Tue, 03 Oct 2017 16:13:44 +0000
+
sqlite3 (3.16.2-5) unstable; urgency=medium
* Backport fix for corruption due to REPLACE in an auto-vacuumed database.
diff -Nru sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch 1970-01-01 00:00:00.000000000 +0000
+++ sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch 2017-10-03 16:13:44.000000000 +0000
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==================================================================
+--- sqlite3/ext/rtree/rtree.c
++++ sqlite3/ext/rtree/rtree.c
+@@ -3207,10 +3207,14 @@
+ pRtree->zDb, pRtree->zName
+ );
+ rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+ if( rc!=SQLITE_OK ){
+ *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++ }else if( pRtree->iNodeSize<(512-64) ){
++ rc = SQLITE_CORRUPT;
++ *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++ pRtree->zName);
+ }
+ }
+
+ sqlite3_free(zSql);
+ return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==================================================================
+--- sqlite3/ext/rtree/rtreeA.test
++++ sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+ 1 "DELETE FROM t1 WHERE rowid = 5"
+ 2 "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-------------------------------------------------------------------------
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 {
++ UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++ SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+
+
+ finish_test
+
diff -Nru sqlite3-3.16.2/debian/patches/series sqlite3-3.16.2/debian/patches/series
--- sqlite3-3.16.2/debian/patches/series 2017-06-08 22:07:42.000000000 +0000
+++ sqlite3-3.16.2/debian/patches/series 2017-10-03 16:13:44.000000000 +0000
@@ -13,3 +13,4 @@
42-JSON-2_2.patch
43-JSON-3.patch
50-REPLACE_corruption_fix.patch
+51-CVE-2017-10989.patch
