GNU bug report logs - #47231
sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#47231: closed (sqlite package is vulnerable to
 CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435,
 CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and
 CVE-2020-9327)
Date: Fri, 26 Mar 2021 01:37:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Fri, 26 Mar 2021 02:36:16 +0100
with message-id <318a4b5eed01580d377cc8199a4bfb0db30b5eeb.camel <at> zaclys.net>
and subject line Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
has caused the debbugs.gnu.org bug report #47231,
regarding sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
47231: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47231
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656,
 CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631,
 CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 18 Mar 2021 12:42:43 +0100

[Message part 3 (text/plain, inline)]

According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo

[0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

[Message part 6 (message/rfc822, inline)]

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: Mark H Weaver <mhw <at> netris.org>, 47231-done <at> debbugs.gnu.org, Tobias
 Geerinckx-Rice <me <at> tobias.gr>
Subject: Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
 CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630,
 CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Fri, 26 Mar 2021 02:36:16 +0100

[Message part 7 (text/plain, inline)]

On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
> 
> Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'
> should
> *not* use 'package/inherit', since the package you're defining is the
> replacement for the package you're inheriting from.
> 
> Otherwise, it looks good to me!
> 
>      Thanks,
>        Mark

Adapted, wasnt sure what package/inherit was for exactly.

Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> > I'm currently rebuilding IceCat with this change as an extra
> > precaution, but that shouldn't take long.  If that doesn't cause 
> > problems this LGTM for master.
> 
> OK, it worked, old IceCat writes new SQlite files.
> 
> Kind regards,
> 
> T G-R

Thank you both for the review!

Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.