Hello all, As the ICU package was perhaps a bit much to try as a first attempt (I am still waiting for feedback from upstream on the patches as I am unable to test them), I have decided to tackle a less challenging package for my training run: sqlite3.
Based on the security tracker, this CVE is recently made public: https://security-tracker.debian.org/tracker/CVE-2016-6153 Based on the notes there, I worked from these three upstream commits: http://www.sqlite.org/cgi/src/info/67985761aa93fb61 http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 http://www.sqlite.org/cgi/src/info/614bb709d34e1148 I read the exploit details and a proof of concept here: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt The debdiff of the changes I made is attached to this mail and I have uploaded the complete source package here: https://people.debian.org/~roberto/ Following the steps in the proof of concept (at the bottom of the korelogic.com page), I installed the vulnerable version of sqlite3 in a wheezy Docker image. After following the steps, I found that sqlite3 had ignored the directory I specified in TMPDIR: miami:~# ls -l /proc/$(pidof sqlite3)/fd/ |egrep tmp lrwx------ 1 nobody nogroup 64 Jul 2 23:32 3 -> /var/tmp/etilqs_gtsvCDCYTxqchTi (deleted) lrwx------ 1 nobody nogroup 64 Jul 2 23:32 4 -> /var/tmp/etilqs_hECZPuVuLGwZJIV (deleted) I installed the newly build sqlite3 (3.7.13-1+deb7u3) and follwed the same steps again, finding that this time sqlite correctly allowed temporary file creation in a directory without read permissions for the creating user: miami:~# ls -l /proc/$(pidof sqlite3)/fd/ |egrep tmp lrwx------ 1 nobody nogroup 64 Jul 2 23:34 3 -> /tmp/safe/etilqs_qIv0PwmhyswdIUF (deleted) lrwx------ 1 nobody nogroup 64 Jul 2 23:34 4 -> /tmp/safe/etilqs_Jtmaahr2v0UXa2I (deleted) If I understand the workflow correctly, then at this point I stil need run the gen-DLA script, mail the DLA announcement, and upload the package. This change seemed very straightforward and I am confident that it is ready for upload. I would appreciate it if someone could review my work and confirm that I have the next steps correct. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
diff -Nru sqlite3-3.7.13/debian/changelog sqlite3-3.7.13/debian/changelog --- sqlite3-3.7.13/debian/changelog 2015-06-14 05:23:43.000000000 -0400 +++ sqlite3-3.7.13/debian/changelog 2016-07-02 23:30:43.000000000 -0400 @@ -1,3 +1,11 @@ +sqlite3 (3.7.13-1+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2016-6153: Allow temporary directory without read permission as + long as it has write and execute permissions. + + -- Roberto C. Sanchez <robe...@debian.org> Sat, 02 Jul 2016 23:00:45 -0400 + sqlite3 (3.7.13-1+deb7u2) wheezy-security; urgency=high * Properly handle precision and width values during floating-point diff -Nru sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch --- sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch 1969-12-31 19:00:00.000000000 -0500 +++ sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch 2016-07-02 23:30:21.000000000 -0400 @@ -0,0 +1,62 @@ +Description: Allow temporary directory without read permission as long as it has write and execute permissions. +Origin: upstream, http://www.sqlite.org/cgi/src/info/67985761aa93fb61 http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 http://www.sqlite.org/cgi/src/info/614bb709d34e1148 +--- sqlite3-3.7.13.orig/src/os_unix.c ++++ sqlite3-3.7.13/src/os_unix.c +@@ -4787,20 +4787,24 @@ + "/tmp", + 0 /* List terminator */ + }; +- unsigned int i; ++ unsigned int i = 0; + struct stat buf; +- const char *zDir = 0; ++ const char *zDir = sqlite3_temp_directory; + +- azDirs[0] = sqlite3_temp_directory; ++ if( !azDirs[0] ) azDirs[0] = getenv("SQLITE_TMPDIR"); + if( !azDirs[1] ) azDirs[1] = getenv("TMPDIR"); +- for(i=0; i<sizeof(azDirs)/sizeof(azDirs[0]); zDir=azDirs[i++]){ +- if( zDir==0 ) continue; +- if( osStat(zDir, &buf) ) continue; +- if( !S_ISDIR(buf.st_mode) ) continue; +- if( osAccess(zDir, 07) ) continue; +- break; ++ while(1){ ++ if( zDir!=0 ++ && osStat(zDir, &buf)==0 ++ && S_ISDIR(buf.st_mode) ++ && osAccess(zDir, 03)==0 ++ ){ ++ return zDir; ++ } ++ if( i>=sizeof(azDirs)/sizeof(azDirs[0]) ) break; ++ zDir = azDirs[i++]; + } +- return zDir; ++ return 0; + } + + /* +@@ -4820,10 +4824,11 @@ + ** using the io-error infrastructure to test that SQLite handles this + ** function failing. + */ ++ zBuf[0] = 0; + SimulateIOError( return SQLITE_IOERR ); + + zDir = unixTempFileDir(); +- if( zDir==0 ) zDir = "."; ++ if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH; + + /* Check that the output buffer is large enough for the temporary file + ** name. If it is not, return SQLITE_ERROR. +--- sqlite3-3.7.13.orig/src/sqlite.h.in ++++ sqlite3-3.7.13/src/sqlite.h.in +@@ -450,6 +450,7 @@ + #define SQLITE_IOERR_SHMLOCK (SQLITE_IOERR | (20<<8)) + #define SQLITE_IOERR_SHMMAP (SQLITE_IOERR | (21<<8)) + #define SQLITE_IOERR_SEEK (SQLITE_IOERR | (22<<8)) ++#define SQLITE_IOERR_GETTEMPPATH (SQLITE_IOERR | (25<<8)) + #define SQLITE_LOCKED_SHAREDCACHE (SQLITE_LOCKED | (1<<8)) + #define SQLITE_BUSY_RECOVERY (SQLITE_BUSY | (1<<8)) + #define SQLITE_CANTOPEN_NOTEMPDIR (SQLITE_CANTOPEN | (1<<8)) diff -Nru sqlite3-3.7.13/debian/patches/series sqlite3-3.7.13/debian/patches/series --- sqlite3-3.7.13/debian/patches/series 2015-06-14 05:23:43.000000000 -0400 +++ sqlite3-3.7.13/debian/patches/series 2016-07-02 22:35:53.000000000 -0400 @@ -8,3 +8,4 @@ 31-increase_SQLITE_MAX_DEFAULT_PAGE_SIZE_to_32k.patch 40-use_fchmod_instead_of_umask.patch 41-CVE-2015-3416.patch +42-CVE-2016-6153.patch
signature.asc
Description: Digital signature
