From unknown Tue Jun 17 20:15:16 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47231 <47231@debbugs.gnu.org> To: bug#47231 <47231@debbugs.gnu.org> Subject: Status: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 Reply-To: bug#47231 <47231@debbugs.gnu.org> Date: Wed, 18 Jun 2025 03:15:16 +0000 retitle 47231 sqlite package is vulnerable to CVE-2020-11655, CVE-2020-1165= 6, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020= -13632, CVE-2020-15358 and CVE-2020-9327 reassign 47231 guix submitter 47231 L=C3=A9o Le Bouter severity 47231 normal tag 47231 security thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 07:42:52 2021 Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 11:42:52 +0000 Received: from localhost ([127.0.0.1]:45286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMr3B-0005LB-4y for submit@debbugs.gnu.org; Thu, 18 Mar 2021 07:42:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:35464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMr39-0005L3-Nq for submit@debbugs.gnu.org; Thu, 18 Mar 2021 07:42:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMr39-0000hP-Ei for bug-guix@gnu.org; Thu, 18 Mar 2021 07:42:47 -0400 Received: from mail.zaclys.net ([178.33.93.72]:34563) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMr37-0000bz-7e for bug-guix@gnu.org; Thu, 18 Mar 2021 07:42:47 -0400 Received: from [192.168.0.27] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12IBghcH007322 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 18 Mar 2021 12:42:43 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12IBghcH007322 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616067763; bh=v53UTA74v4t9/UGf9YFhRUhgzKeHklPt7S9rkUmXqSE=; h=Subject:From:To:Date:From; b=MqBWWuOWs7ksZSD3bueF77bxPyT0Mw+TAtP47fnJ+t7pWGbQ5CkyY3deMAQt6Py4g QR+bRYZ/aZeUrZAMRxExYYiJYwJC/8pr0ozjSrs2vKHh1M4bfAjm2GnPMOl+nC2a7t 1ouwfLiBUu6zkCzSmnO/vauwWtg+Tj98T5AdKsE0= Message-ID: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> Subject: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Thu, 18 Mar 2021 12:42:43 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-sO1O21U/DX32CHq1Rl+N" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-sO1O21U/DX32CHq1Rl+N Content-Type: multipart/mixed; boundary="=-5cpjFKBTzS7jBpJccBHa" --=-5cpjFKBTzS7jBpJccBHa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable According to https://www.sqlite.org/versionnumbers.html major versions of sqlite remain = ABI and file format backwards compatible. It means we could graft without trouble, 3.32.3 fixes all CVEs, however 3.32 introduces a test failure in Python 3.8.2 which is an errorneous test testing internal sqlite implementation detail (but grafting wont actually re-run this test suite). See: https://bugs.python.org/issue40784 Otherwise I am still trying to run GNU Guix's own test suite on this but it turns out unnecessarily complicated, see=20 https://issues.guix.gnu.org/47230 for suggestions on improving that process. Attached WIP patch. Thank you! L=C3=A9o --=-5cpjFKBTzS7jBpJccBHa Content-Disposition: attachment; filename="0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch" Content-Type: text/x-patch; name="0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBiMGY5NTY2ZTlmZjlhNWY0MDlhM2ZkNDI5M2MwNDhlYzU4YmM3NzBkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TD1DMz1BOW89MjBMZT0yMEJvdXRlcj89IDxs bGUtYm91dEB6YWNseXMubmV0PgpEYXRlOiBUaHUsIDE4IE1hciAyMDIxIDA3OjA5OjEwICswMTAw ClN1YmplY3Q6IFtQQVRDSF0gZ251OiBzcWxpdGU6IFVwZGF0ZSB0byAzLjMyLjMgW3NlY3VyaXR5 IGZpeGVzXS4KCiogZ251L3BhY2thZ2VzL3NxbGl0ZS5zY20gKHNxbGl0ZS9maXhlZCk6IE5ldyB2 YXJpYWJsZS4KKHNxbGl0ZSlbcmVwbGFjZW1lbnRdOiBHcmFmdC4KLS0tCiBnbnUvcGFja2FnZXMv c3FsaXRlLnNjbSB8IDIxICsrKysrKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDIx IGluc2VydGlvbnMoKykKCmRpZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvc3FsaXRlLnNjbSBiL2du dS9wYWNrYWdlcy9zcWxpdGUuc2NtCmluZGV4IGVlYjc3NzQ5ZDguLmNjMzc4YjM1OWEgMTAwNjQ0 Ci0tLSBhL2dudS9wYWNrYWdlcy9zcWxpdGUuc2NtCisrKyBiL2dudS9wYWNrYWdlcy9zcWxpdGUu c2NtCkBAIC02NSw2ICs2NSw3IEBACiAgICAgICAgICAgICAoc2hhMjU2CiAgICAgICAgICAgICAg KGJhc2UzMgogICAgICAgICAgICAgICAiMWJqOTM2c3ZkOGk1ZzI1eGQxYmo1MmhqNHpjYTAxZmds M3Nxa2o4Nno5cTVwa3o0d2EzMiIpKSkpCisgICAocmVwbGFjZW1lbnQgc3FsaXRlL2ZpeGVkKQog ICAgKGJ1aWxkLXN5c3RlbSBnbnUtYnVpbGQtc3lzdGVtKQogICAgKGlucHV0cyBgKCgicmVhZGxp bmUiICxyZWFkbGluZSkpKQogICAgKG5hdGl2ZS1pbnB1dHMgKGlmIChodXJkLXRhcmdldD8pCkBA IC0xMjIsNiArMTIzLDI2IEBAIHdpZGVseSBkZXBsb3llZCBTUUwgZGF0YWJhc2UgZW5naW5lIGlu IHRoZSB3b3JsZC4gIFRoZSBzb3VyY2UgY29kZSBmb3IgU1FMaXRlCiBpcyBpbiB0aGUgcHVibGlj IGRvbWFpbi4iKQogICAgKGxpY2Vuc2UgbGljZW5zZTpwdWJsaWMtZG9tYWluKSkpCiAKKyhkZWZp bmUtcHVibGljIHNxbGl0ZS9maXhlZAorICAocGFja2FnZS9pbmhlcml0IHNxbGl0ZQorICAgICh2 ZXJzaW9uICIzLjMyLjMiKQorICAgIChzb3VyY2UgKG9yaWdpbgorICAgICAgICAgICAgICAobWV0 aG9kIHVybC1mZXRjaCkKKyAgICAgICAgICAgICAgKHVyaSAobGV0ICgobnVtZXJpYy12ZXJzaW9u CisgICAgICAgICAgICAgICAgICAgICAgICAgIChtYXRjaCAoc3RyaW5nLXNwbGl0IHZlcnNpb24g I1wuKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoZmlyc3QtZGlnaXQgb3RoZXItZGln aXRzIC4uLikKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBlbmQgZmly c3QtZGlnaXQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0 cmluZy1wYWQtcmlnaHQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChzdHJpbmctY29uY2F0ZW5hdGUKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAobWFwIChjdXQgc3RyaW5nLXBhZCA8PiAyICNcMCkKKyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG90aGVyLWRpZ2l0cykpCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA2ICNcMCkpKSkpKQor ICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBlbmQgImh0dHBzOi8vc3FsaXRlLm9yZy8y MDIwL3NxbGl0ZS1hdXRvY29uZi0iCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBudW1lcmljLXZlcnNpb24gIi50YXIuZ3oiKSkpCisgICAgICAgICAgICAgIChzaGEyNTYKKyAg ICAgICAgICAgICAgIChiYXNlMzIKKyAgICAgICAgICAgICAgICAiMHJsYmFxMTc3Z2NnazVkc3dk M2FrYmh2Mm52dnpsanJiaGd5MThoa2xiaHc3aDkwZjVkMyIpKSkpKSkKKwogOzsgQ29sdW1uIG1l dGFkYXRhIHN1cHBvcnQgd2FzIGFkZGVkIHRvIHRoZSByZWd1bGFyICdzcWxpdGUnIHBhY2thZ2Ug d2l0aAogOzsgY29tbWl0IGZhZDViMWE2ZDhkOWMzNmJlYTU3ODVhZTRmYmMxYmViMzdlNjQ0ZDcu CiAoZGVmaW5lLXB1YmxpYyBzcWxpdGUtd2l0aC1jb2x1bW4tbWV0YWRhdGEKLS0gCjIuMzEuMAoK --=-5cpjFKBTzS7jBpJccBHa-- --=-sO1O21U/DX32CHq1Rl+N Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBTPLMACgkQRaix6GvN EKZJUBAApTFFerO/WLrwpI8WEmTwZT80tKqvjkE/SYquptjGLFtEkIP9Wk3B8P9L Z9Culm0rU6KaRJuCIwVOHH3v7fS+dsedcVK/KRtNjmrnTy5Y7t7Y8WKFqULszpIo wkE2RANFyne7QzplhlzJ1JElxFgP5iE/0zc9KaGV+RCrXwLOCZyG+r0BykoTNze6 /cNdM4ri/XqfQNGAJyFroS8pDNQoeQuRsRgIQ3NlFOWVqPdEZGtnO8IVnMaVzb1I 4m+YHWr55/FjtzJKqqG+QlKi+FeH0qeUHgj26lHuINqZ2HnSQ47QyoD7qcFGcFNP 4FaRWiL6vY7oYKyeqoRYZoBp8aOHiIJT7KfC1o+G5fTTwMPzYF7Ri7M0EeINM6i+ vjZ292QnBRcBUuUfAB0EXCtcWXKJY5UEUrO8A4fYHbBAXxWRwsTfEvrAnbjoosGH YBfsWWhQ64fR56yqJF/AKHYwGz9sF+agr+FNzsuUwn5hE1LFUurUbMrTDVQr0/U7 U5kUlX6zuJLiTKHGZd/C2iDagLLgBL6H11twW0fHNKlZ3NGkInWO7vJpwyXerJKE yLy9THvETa/6/FBvdwOgt7gS7kxsTUHJva0YNNhgA6g+pp0eJsn8VXTMelHRIC8P PDc+WFdxAJu/cCEedraRPvDeP9CoWpm33NPl+i9OE14u2w3Tz84= =qiPe -----END PGP SIGNATURE----- --=-sO1O21U/DX32CHq1Rl+N-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 19 06:30:14 2021 Received: (at control) by debbugs.gnu.org; 19 Mar 2021 10:30:14 +0000 Received: from localhost ([127.0.0.1]:48891 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCOU-00058Z-1J for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:30:14 -0400 Received: from mail.zaclys.net ([178.33.93.72]:41477) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCOR-0004yv-FY for control@debbugs.gnu.org; Fri, 19 Mar 2021 06:30:11 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAU5JC023780 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 Mar 2021 11:30:05 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAU5JC023780 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616149805; bh=nrytgYjHObGMl6IHTdg6EANliZjepni+Kyx/siyParM=; h=Subject:From:To:Date:From; b=Mcm3++9ollIOb12Rk7wrqv1EFuqdvJjr7aV7t86HZGVygV2c/K7gSfHdW8ri7Xcym BoaVVM5UDp6HZkPL1/s0Lw6rZHQmJjCpRZ92PIeZEBMm+WBqTjPgZyvXaDhguPUmVO KbfI+Zum9vUJ90BlwgqLbknhJFmwWegn8ziVKR/c= Message-ID: Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Fri, 19 Mar 2021 11:30:05 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-eRV4qZUfbz7MdIFoehas" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.8 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47231 + security quit Content analysis details: (2.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty 0.8 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47231 + security quit Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 BLANK_SUBJECT Subject is present but empty 0.8 BODY_EMPTY No body text in message --=-eRV4qZUfbz7MdIFoehas Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47231 + security quit --=-eRV4qZUfbz7MdIFoehas Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfS0ACgkQRaix6GvN EKbGJg/7Be3+vtiRghdemNxnMas7ZTqenbF2En6k9Qpi2tZVoPRp3TV92Mjv0MHd 8wE2MB8dqV2D9aFZjrMBUjApzAw70kdE3QyONCR5k1XUjjwlXuoVmOKQHn+QYhgx oZu5RSuxhrRFezxWIqDYDa5thAgPGt/sJPNwm1fV5AfvrCWxTfgg538nwGLvgTDF c0N+oYB5L8d8iCgztAGxzQe4KnVCTULJGkqwlakmHpiQ7877NZwGFLP/c6Aehs2e OFMLBICMVl5k7+jGYKaa+o+GQlRzKqTGYKOhxtpgyweKf/5u7Klh0KMnipOvN0Gc 9DMLEqbfp3W2LFGyhTX6Y+cwudYaGyw2mrV99h10DwOdySELy/invYD6EEfm+U21 BWiq+Le1lU6NZFViUCouuRJcpdgREpnc1Vo4pIA/b6xstUKv/hpCfMJO09I6tSVD KxMTLR+3Ww5GPVq+zYzlUEgrmkCTGPcbcazcdT7tPvLYhkuf9FN727OwqYkqBUJG X0k1nr2YV2VJux5I0pdCOBF3CVC2rkudpT1tFQ/zvy+Q9YE1W1iStUp3E0U4hgDk grY5MwGPQXpSwZdtNe8b2OvRCnrZl+6gpVG4kxggG/BF9n7qLY4ikvUGUoDpbRoI DGzQN9jP9gTujz7bBK/4l4EnKguw2rj+vcitY+iUsC0+AdgRH58= =wvGS -----END PGP SIGNATURE----- --=-eRV4qZUfbz7MdIFoehas-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 19:37:14 2021 Received: (at 47231) by debbugs.gnu.org; 23 Mar 2021 23:37:14 +0000 Received: from localhost ([127.0.0.1]:33425 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOqaI-0003K9-Je for submit@debbugs.gnu.org; Tue, 23 Mar 2021 19:37:14 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36801) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOqaG-0003Js-V8 for 47231@debbugs.gnu.org; Tue, 23 Mar 2021 19:37:13 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NNb6LA044948 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47231@debbugs.gnu.org>; Wed, 24 Mar 2021 00:37:06 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NNb6LA044948 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616542626; bh=pLTJDtmK6WwX7bx7IF/e2QI1bcXlyxOqL8D+++aYNcI=; h=Subject:From:To:Date:In-Reply-To:References:From; b=U6C/T9sEzh0RD7DuBojUAcMUQzEycnVyqrrDV5/kq5NnHjWiVD8xcQrsk4abbhixB QDKORNN0ryjWuF8A2Fcr2eGPr36E+TVOmbDkWN5fC8ZX5giE0r6DHKnZy3USEU3R43 KZuxUUR2jszDWDaWYRIcPnOd1WcfkC1tyu6n7SAQ= Message-ID: Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47231@debbugs.gnu.org Date: Wed, 24 Mar 2021 00:37:00 +0100 In-Reply-To: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-n0oC3Ye6caxDqUISwr1Y" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47231 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-n0oC3Ye6caxDqUISwr1Y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable One more: CVE-2021-20227 23.03.21 18:15 A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability. --=-n0oC3Ye6caxDqUISwr1Y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBae5wACgkQRaix6GvN EKZHSxAAspoVdkYpeZNVl/kQXjuZ6EVCb9IeS1oIDvwJaeH+CGZ8uX9KxxQhum6U JmLx/UpZTWt30L4WobFdvVmyKFQqYu+o8BTRdq4O4EoimHgtFDb2+MJQHywf2GmH AEu4HMLcD+5Z3T5ejSs2OW6O0c8l6nunQ1wFGU7LEhCnC/P5+dh6dLF5Q3oCy74x vbgdniF1zXWNQ5M1dL5AkDonERIg8AWKZFfGbDqOx2Sd5sdsEBnO1MWrlAUp2w+V skyPlJJSTpJo/MmajSIjCCnokGX8c0wIyMPWj8VIx72B7uamibvxZzYWfpab4IAB 0929b8vzyTuiFB+UyKHlQEthqVVTZWUURGU/LraLKQ2G91ocOyfZAOvsOJcwbJk3 6UvfgsfR00qfPb5lOXW2roxmvng68/OIXGbHvsV5pNTclkAvFOlajvtr5k6MrQmx sPXOfw8Ir8iRRQGydD1OaocD2y60O9Mi0vYhvCDzAIeCweAwFU7bKiDbmTKgXb47 owZnfiWAbfl1ZI0aO63pqiWKl3ErFPuYzuEIWw91hydEhnWIAGMV0ytalKEsqvEA MNt4dfeoD+5uX8RIIqKKehuf70VgBAN9v0T3bl5YOTgO38gTAyKvJ4ux2XgCYWFb H98W0M0BaJlGgG/DAeNKeiKmU1RhFPhGpzxvCoMA88jcsRC34HU= =oyEc -----END PGP SIGNATURE----- --=-n0oC3Ye6caxDqUISwr1Y-- From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 24 18:55:08 2021 Received: (at 47231) by debbugs.gnu.org; 24 Mar 2021 22:55:08 +0000 Received: from localhost ([127.0.0.1]:36374 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPCP6-0001Tb-Ev for submit@debbugs.gnu.org; Wed, 24 Mar 2021 18:55:08 -0400 Received: from mail.zaclys.net ([178.33.93.72]:53915) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPCP2-0001Sv-Ik for 47231@debbugs.gnu.org; Wed, 24 Mar 2021 18:55:06 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12OMsv8k020848 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47231@debbugs.gnu.org>; Wed, 24 Mar 2021 23:54:58 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12OMsv8k020848 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616626498; bh=72OeiMBzYJIiZ1trLgwjt1PAMCPXPo8mgLmVwAg1yvI=; h=Subject:From:To:Date:In-Reply-To:References:From; b=X4hFWJiTu7iE+dXBIOuGB1/tGDH5NndYgsZHH4FQqIReBBndrYzG3QIVxtX+vbpav +jsI2qV8u5ClMCG5tX2k2WdWbevjY1GM2LA41azOA6YPKkBTELeRiNZHE4hPOGEbep EMhO3k7jFUrbArpd2er5GXELaPIXq7TT04mUUsy0= Message-ID: Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47231@debbugs.gnu.org Date: Wed, 24 Mar 2021 23:54:52 +0100 In-Reply-To: References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-FXeRzPcM+RP2YiAn21m2" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47231 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-FXeRzPcM+RP2YiAn21m2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I could test the graft with GNU Guix's test suite by manually replacing the sqlite input with sqlite/fixed like so: diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 888f54322d..70f5c2dad3 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -389,7 +389,7 @@ $(prefix)/etc/init.d\n"))) (inputs `(("bzip2" ,bzip2) ("gzip" ,gzip) - ("sqlite" ,sqlite) + ("sqlite" ,sqlite/fixed) ("libgcrypt" ,libgcrypt) =20 ("guile" ,guile-3.0-latest) It worked fine. Is that enough of a test to graft in master? Let me know and I will push. L=C3=A9o --=-FXeRzPcM+RP2YiAn21m2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBbwzwACgkQRaix6GvN EKZCfw/9GIy7enKa+oQVirZReSLUKcBeaRY7nK6bl6WsWq+nZCtpvh4HSWZL2ESC c7nJW1M9zI7pY8oSkZ1ztKa27UUvXaMh3G7q7Yzt9twQmLqVta2oeeIYMfiyuR5u 4pL3Kvjmx4Efv2svjKxRJoNoC4n+FusHChErMEz0ALkx4XHWi2mBTRj9deaeRZ0B 006DJ/7/2KuoKyitzDaYrw9a8o0VDrv6eXc/1g/p+5ue2nCzoyMTnDqGrSTgO7Xw ndqLhI9rn6Dn/s0GDm3IIqSMDKZ1zFOxSwpoxf/xOWNzZKFpKHkbnW2UxJI0JdOW xr9UbIm/MLOweTOUH1D/KKwFG24lDn+TvlOT4sIz8XEvtA/os+j0ohbzocGP7Ynh cVCLPDW4NU61cbawwFgHWtkbOs7O4TwDz/DCOSynS38vWfUsEvJvTtdGfTm6IjXC bAp49Ua8zrlcV7FPXQKuCrMDBPT6csa+cHgmCcOlnIt7EhMmKrXuTEoxj9DiMwxs f+lhChZDGu3aALAW8mPLOwxw5wUM5GZ0sNn+Rf6nmx0FP3gj7FXWkuGkRxz3lnIX kxaP9uE285lunYJ98bRSfVI2+NO0203YAyOwFYDqym+1PuG/kqw+Isafb3GsIsC/ S6wPvoiEVnfWC+3Z2plKezj7rbdrR6FriaMQH53RvjLwD3+fYMc= =izmd -----END PGP SIGNATURE----- --=-FXeRzPcM+RP2YiAn21m2-- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 07:27:36 2021 Received: (at submit) by debbugs.gnu.org; 25 Mar 2021 11:27:36 +0000 Received: from localhost ([127.0.0.1]:37358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPO9I-00028z-17 for submit@debbugs.gnu.org; Thu, 25 Mar 2021 07:27:36 -0400 Received: from lists.gnu.org ([209.51.188.17]:40672) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPO9F-00028p-Va for submit@debbugs.gnu.org; Thu, 25 Mar 2021 07:27:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33520) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPO9F-0002su-PV for bug-guix@gnu.org; Thu, 25 Mar 2021 07:27:33 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:45504) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPO9D-0005Hk-H5; Thu, 25 Mar 2021 07:27:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=kGFuTIW+GMtgV/ntf4stIx4+E0QzmrC+Ep28MXz0RCI=; h=date:in-reply-to: subject:cc:to:from:references; b=a2Jk635QP5vs9hlhsQiQoZp9ht8LHJWmTUFXO LonzyVNMBB/4Q/ZvKG7waP9bn6fcf3LlkAIajBcMeaeSc08zpeyfyh1UcAfXfI0946tc66 7ObJJp8igBxQRHl4KSV3MH+9wmf0AJnrS1uDYO0z83sDXcznyuqzgucK1oNrs2k2Q69Ite t6mkvIBWcHzE/BoapvKqghPCulcKsTt9/QDQVshBXHJtFosdWXkbV/JMIwcQNtr4NWaQbU u8I1DpeuvuJ3QRO2oysi0eE54BJFYlk20ajIpMybD0FgTuaMu9mzXe/qpzPPFHr8sStp3v 4zdIPhRU+3LvpjVgcCOUHwXLw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 2062aee3 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Thu, 25 Mar 2021 11:28:33 +0000 (UTC) References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> From: Tobias Geerinckx-Rice To: =?utf-8?Q?L=C3=A9o?= Le Bouter , Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 In-reply-to: BIMI-Selector: v=BIMI1; s=default; Message-ID: <87y2ebh3rz.fsf@nckx> Date: Thu, 25 Mar 2021 12:27:28 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47231@debbugs.gnu.org, bug-guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Thanks! I'm currently rebuilding IceCat with this change as an extra precaution, but that shouldn't take long. If that doesn't cause problems this LGTM for master. Ludo', do you think the Guix test described here is a good one? Kind regards, T G-R From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 11:56:10 2021 Received: (at submit) by debbugs.gnu.org; 25 Mar 2021 15:56:11 +0000 Received: from localhost ([127.0.0.1]:39326 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSLC-0003P5-Mm for submit@debbugs.gnu.org; Thu, 25 Mar 2021 11:56:10 -0400 Received: from lists.gnu.org ([209.51.188.17]:36026) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSLA-0003Ox-Tw for submit@debbugs.gnu.org; Thu, 25 Mar 2021 11:56:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48240) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPSL9-00041R-Fj for bug-guix@gnu.org; Thu, 25 Mar 2021 11:56:08 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:46430) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPSL5-0000nH-OL for bug-guix@gnu.org; Thu, 25 Mar 2021 11:56:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=D0wHEPs6lFd06Pd/6Y+oQ8TbB2YKJrFDno/gWFumKak=; h=date:in-reply-to: subject:cc:from:references; b=EokzjYxZW+F/aQ9Re321TystgfVY7z3PGx2zmz7x EwR+Lb6m+C6o86NHH16ZExmEN4q3UGwT6gN7wOwxoPaGJw2M4PQJaKMGKWPD3binJXc3TR 0dQUmpJMZG6f66WA8iU4vOqjdLCw4diY7LRWLVN3z7q0lyGjrZz8yILUH8NPoBnkzLXt6M 24MkHa9Rc0Zh7Wxcvs4/iQHd1SYRkU/kkLMCqZrXDHP/ttWk7tInC1GncKtvppwUopAtEk tujelqrYxFHUHDPhl/OCSmlCqLUDGH1tAnXXij0EIPtMvbUZ1LY/Jsl9kJokiIwwDz/6N5 cHuOgTD5GNsD9qrOz5CgtA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 9abd29b3 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Thu, 25 Mar 2021 15:57:06 +0000 (UTC) References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> <87y2ebh3rz.fsf@nckx> From: Tobias Geerinckx-Rice Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 In-reply-to: <87y2ebh3rz.fsf@nckx> BIMI-Selector: v=BIMI1; s=default; Date: Thu, 25 Mar 2021 16:56:00 +0100 Message-ID: <87lfabgrcf.fsf@nckx> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -10 X-Spam_score: -1.1 X-Spam_bar: - X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MISSING_HEADERS=1.021, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: submit Cc: 47231@debbugs.gnu.org, =?utf-8?Q?L=C3=A9o?= Le Bouter , bug-guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.2 (-) Tobias Geerinckx-Rice via Bug reports for GNU Guix writes: > I'm currently rebuilding IceCat with this change as an extra > precaution, but that shouldn't take long. If that doesn't cause > problems this LGTM for master. OK, it worked, old IceCat writes new SQlite files. Kind regards, T G-R From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 21:25:41 2021 Received: (at 47231) by debbugs.gnu.org; 26 Mar 2021 01:25:41 +0000 Received: from localhost ([127.0.0.1]:40013 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPbEL-0000jF-Cw for submit@debbugs.gnu.org; Thu, 25 Mar 2021 21:25:41 -0400 Received: from world.peace.net ([64.112.178.59]:45654) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPbEK-0000j3-Iz for 47231@debbugs.gnu.org; Thu, 25 Mar 2021 21:25:40 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lPbEE-0005jE-JC; Thu, 25 Mar 2021 21:25:34 -0400 From: Mark H Weaver To: =?utf-8?Q?L=C3=A9o?= Le Bouter , 47231@debbugs.gnu.org Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 In-Reply-To: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> Date: Thu, 25 Mar 2021 21:23:56 -0400 Message-ID: <878s6ar9ko.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47231 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) L=C3=A9o Le Bouter via Bug reports for GNU Guix writes: > From b0f9566e9ff9a5f409a3fd4293c048ec58bc770d Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?L=3DC3=3DA9o=3D20Le=3D20Bouter?=3D > Date: Thu, 18 Mar 2021 07:09:10 +0100 > Subject: [PATCH] gnu: sqlite: Update to 3.32.3 [security fixes]. > > * gnu/packages/sqlite.scm (sqlite/fixed): New variable. > (sqlite)[replacement]: Graft. > --- > gnu/packages/sqlite.scm | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/gnu/packages/sqlite.scm b/gnu/packages/sqlite.scm > index eeb77749d8..cc378b359a 100644 > --- a/gnu/packages/sqlite.scm > +++ b/gnu/packages/sqlite.scm > @@ -65,6 +65,7 @@ > (sha256 > (base32 > "1bj936svd8i5g25xd1bj52hj4zca01fgl3sqkj86z9q5pkz4wa32")))) > + (replacement sqlite/fixed) > (build-system gnu-build-system) > (inputs `(("readline" ,readline))) > (native-inputs (if (hurd-target?) > @@ -122,6 +123,26 @@ widely deployed SQL database engine in the world. T= he source code for SQLite > is in the public domain.") > (license license:public-domain))) >=20=20 > +(define-public sqlite/fixed > + (package/inherit sqlite Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' should *not* use 'package/inherit', since the package you're defining is the replacement for the package you're inheriting from. Otherwise, it looks good to me! Thanks, Mark From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 21:36:24 2021 Received: (at 47231-done) by debbugs.gnu.org; 26 Mar 2021 01:36:24 +0000 Received: from localhost ([127.0.0.1]:40018 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPbOi-0000z8-Gu for submit@debbugs.gnu.org; Thu, 25 Mar 2021 21:36:24 -0400 Received: from mail.zaclys.net ([178.33.93.72]:58685) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPbOg-0000yt-JW for 47231-done@debbugs.gnu.org; Thu, 25 Mar 2021 21:36:23 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12Q1aG0N028983 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 26 Mar 2021 02:36:16 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12Q1aG0N028983 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616722576; bh=gK4Go9t+b38rsa5PtZ1gNmynOCNwWnQNo5YiZ7NkExA=; h=Subject:From:To:Date:In-Reply-To:References:From; b=bB1/p/dt5zP53IVLSo1Fl9WRZtPVxVTczNj8zNfwpU1gf/LSxJHAYRn2M6SwVFYPy SF5gmBmcVblXiDHI8FVItbQYVioiWfbng4SloAngOg/2IIBaDQpPgX5VgLwaEvdp1w 3W2JGH9/gxzMQpQggi2lW9fwd25e5cMQMzdMqKvE= Message-ID: <318a4b5eed01580d377cc8199a4bfb0db30b5eeb.camel@zaclys.net> Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Mark H Weaver , 47231-done@debbugs.gnu.org, Tobias Geerinckx-Rice Date: Fri, 26 Mar 2021 02:36:16 +0100 In-Reply-To: <878s6ar9ko.fsf@netris.org> References: <0381641839f5d0e71cbb496b95b9947a2a2c2799.camel@zaclys.net> <878s6ar9ko.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-T4TN7okIh5PzuysP4Ndv" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47231-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-T4TN7okIh5PzuysP4Ndv Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote: >=20 > Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed' > should > *not* use 'package/inherit', since the package you're defining is the > replacement for the package you're inheriting from. >=20 > Otherwise, it looks good to me! >=20 > Thanks, > Mark Adapted, wasnt sure what package/inherit was for exactly. Tobias Geerinckx-Rice via Bug reports for GNU Guix writes: > > I'm currently rebuilding IceCat with this change as an extra > > precaution, but that shouldn't take long. If that doesn't cause=20 > > problems this LGTM for master. >=20 > OK, it worked, old IceCat writes new SQlite files. >=20 > Kind regards, >=20 > T G-R Thank you both for the review! Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10! --=-T4TN7okIh5PzuysP4Ndv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBdOpAACgkQRaix6GvN EKa/Ww/+KE56ZH8cX2Q8rIJ3PHtHE3+CescwipGpKjTPJNF1eUag0vKsivRZe0pV JVqR6a04Zk8rGk5UWCKpLIH8a29ciw3RBGuWMgDiVzT3MOi19NxF64ofoWxxjr1M b1C3wp9AJDCUwmowOgOSO0fB/aII6hXn0ny4UMSC05ScSizpQMnM5b+UXXWRM82K YtNxUcjvDGMW/CwU15hQzvKtJpAH/19MI6TtRIEEqkZZshqDoO70nbC9MmLVy8R6 F/EzNZK0SbhhHf/OCc7drIOoBw2+zuZ1hcPgA4oT7qGU5ohRNVycILj4RWDvIhp5 5nHC2N3lWojfEAvkO4pi1+oR9AyiPEITwg20gSerpjsFvMJOOAHQljlUTjwE+qDa SvO6Isu9SzkaFWcOZOJ2sd+TnxqCb6JrZfObtzc5MnQ9RZ8ReeadfA5GqH3KA07k 5dUoF5Go6KK5zuxRB9qAqwXErps1CJx5pLgbGQRsDP5Sdo1WT0+0tDcbBmC/oVtf 3XCaW8B85IN0vGlZCQnMcsClgSWGiqXqnw2u/k2Jas83v/gEgP9ZvUI3rMXHnPlt 7dKAvOzV3KBikRGrBW7A2qBmOToQyNeN/TEwEGLIezGQskq8c9TyMH+PDS02taOn peMXf29nXqyo4oulqABfXc+xoukbfCZAJuaKfhpj40ULTCj+EgM= =SIkP -----END PGP SIGNATURE----- --=-T4TN7okIh5PzuysP4Ndv-- From unknown Tue Jun 17 20:15:16 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 23 Apr 2021 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator