Bug 199483

Summary:	databases/sqlite3: Multiple vulnerabilities corrected in 3.8.9.0
Product:	Ports & Packages	Reporter:	rsimmons0
Component:	Individual Port(s)	Assignee:	Jan Beich <jbeich>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	jbeich, pavelivolkov, portmgr, ports-secteam
Priority:	---	Keywords:	needs-patch, security
Version:	Latest	Flags:	bugzilla: maintainer-feedback? (pavelivolkov)
Hardware:	Any
OS:	Any
Bug Depends on:	199312
Bug Blocks:

Description rsimmons0 2015-04-16 14:07:57 UTC

Michal Zalewski reported a number of vulnerabilities in Sqlite3 that are now fixed in version 3.8.9.0. This version has been updated in FreeBSD's ports collection, but the older versions lower that current should be marked as vulnerable.

Here is the report:
http://seclists.org/fulldisclosure/2015/Apr/31

Comment 1 Kubilay Kocak freebsd_committer

2015-04-17 05:28:14 UTC

3.8.9(.0) was recently committed to the Ports tree. Does that resolve this PR?

Comment 2 Jan Beich freebsd_committer

2015-04-17 07:11:18 UTC

needs-patch is for someone to write a VuXML entry. Unfortunately, the wording in comment 0's URL cannot be used as is in <blockquote> section. I think, it should be more formal and succint. See how other vulnerabilites are documented.

(In reply to Kubilay Kocak from comment #1)
No, previous sqlite3 versions are still NOT marked vulnerable and 2015Q2 contains 3.8.8.3.

Comment 3 Jan Beich freebsd_committer

2015-04-17 07:51:51 UTC

Hmm, other distributions didn't do better.
https://security-tracker.debian.org/tracker/source-package/sqlite3
https://bugzilla.redhat.com/show_bug.cgi?id=1212360 (see blocked bugs)
https://bugs.gentoo.org/show_bug.cgi?id=546626

Comment 4 Kubilay Kocak freebsd_committer

2015-04-17 09:42:17 UTC

So to clarify, we need:

- A VuXML patch for the SA
- An MFH of an existing commit, or a new one?

Comment 5 commit-hook freebsd_committer

2015-04-18 10:17:32 UTC

A commit references this bug:

Author: jbeich
Date: Sat Apr 18 10:17:26 UTC 2015
New revision: 384217
URL: https://svnweb.freebsd.org/changeset/ports/384217

Log:
  Document sqlite3 multiple vulnerabilites

  PR:		199483

Changes:
  head/security/vuxml/vuln.xml

Comment 6 Jan Beich freebsd_committer

2015-04-18 10:31:31 UTC

I've added VuXML entry as bad as Debian analog. The upside being lack of bias in the interpretation.

Now awaiting MFH approval (via mail).

Comment 7 commit-hook freebsd_committer

2015-05-08 18:43:32 UTC

A commit references this bug:

Author: jbeich
Date: Fri May  8 18:42:32 UTC 2015
New revision: 385815
URL: https://svnweb.freebsd.org/changeset/ports/385815

Log:
  VuXML: update sqlite3 entry with verbose descriptions. CVE-2015-341[4-6]

  PR:		199483

Changes:
  head/security/vuxml/vuln.xml

Comment 8 Jan Beich freebsd_committer

2015-05-08 18:51:45 UTC

Closing per timeout. No approval to MFH ports r384086 received.

> From: Jan Beich <jbeich@FreeBSD.org>
> To: portmgr@FreeBSD.org, ports-secteam@FreeBSD.org
> Subject: MFH request r384086 to 2015Q2
> Date: Sat, 18 Apr 2015 01:46:51 +0200
> Message-ID: <lhhq-nwr8-wny@FreeBSD.org>
>
> Per bug 199483 I want to backport r384086 (skipping r384095 and r384137)
> in order to fix multiple vulnerabilites that lack CVE numbers.
[...]

Comment 9 commit-hook freebsd_committer

2015-05-09 05:17:40 UTC

A commit references this bug:

Author: jbeich
Date: Sat May  9 05:16:55 UTC 2015
New revision: 385863
URL: https://svnweb.freebsd.org/changeset/ports/385863

Log:
  MFH: r384086

  Update to version 3.8.9

  Changes:	https://sqlite.org/releaselog/3_8_9.html
  ACC report:	http://upstream-tracker.org/compat_reports/sqlite/3080803_to_3080900/abi_compat_report.html
  PR:		199312
  PR:		199313
  PR:		199483
  Submitted by:	Pavel Volkov <pavelivolkov@gmail.com> (maintainer)
  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2015Q2/
  branches/2015Q2/databases/sqlite3/Makefile
  branches/2015Q2/databases/sqlite3/distinfo
  branches/2015Q2/databases/tcl-sqlite3/Makefile
  branches/2015Q2/databases/tcl-sqlite3/distinfo