GNU bug report logs - #47231
sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Thu, 18 Mar 2021 11:43:02 UTC

Severity: normal

Tags: security

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656,
 CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631,
 CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
Date: Thu, 18 Mar 2021 12:42:43 +0100

[Message part 1 (text/plain, inline)]
According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI and file format backwards
compatible.

It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).

See: https://bugs.python.org/issue40784

Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see 
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.

Attached WIP patch.

Thank you!

Léo

[0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 54 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.