Bug 233712
| Summary: | databases/sqlite3: Update to 3.26.0 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Pavel Volkov <pavelivolkov> | ||||||||
| Component: | Individual Port(s) | Assignee: | Steve Wills <swills> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Many People | CC: | cy, emaste, koobs, ndowens04, pavelivolkov, ports-secteam, vishwin | ||||||||
| Priority: | Normal | Keywords: | needs-qa, security | ||||||||
| Version: | Latest | Flags: | koobs:
maintainer-feedback?
(ports-secteam) koobs: merge-quarterly- |
||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| URL: | https://www.sqlite.org/releaselog/3_26_0.html | ||||||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233990 | ||||||||||
| Bug Depends on: | |||||||||||
| Bug Blocks: | 233713, 233791, 234112 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Pavel Volkov
2018-12-02 09:28:38 UTC
Created attachment 199736 [details]
build log
Created attachment 199737 [details]
portlint log
This bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232248 is outdated. (In reply to Pavel Volkov from comment #3) You could have edited the older PR for this, instead of opening a new one. For now, close the older one A commit references this bug: Author: swills Date: Tue Dec 4 18:02:14 UTC 2018 New revision: 486622 URL: https://svnweb.freebsd.org/changeset/ports/486622 Log: databases/sqlite3: Update to 3.26.0 PR: 233712 Submitted by: Pavel Volkov <pavelivolkov@gmail.com> (maintainer) Changes: head/databases/sqlite3/Makefile head/databases/sqlite3/distinfo head/databases/sqlite3/files/ Committed, thanks! Tencent Blade announced an SQLite vulnerability [1] "Magellan" a number of days ago, citing an RCE (primary example vector: Chromium). Within the announcement, they say "If your product uses SQLite, please update to 3.26.0". SQLite's changelog [2] was not obvious when it came to declaring the existence of, the source or nature of the vulnerability, so ports r486622 (3.26.0 update to head) was not / has not yet been merged to quarterly. [1] https://blade.tencent.com/magellan/index_en.html [2] https://www.sqlite.org/releaselog/3_26_0.html Firefox builds now check to see if the new SQLITE_DBCONFIG_DEFENSIVE is enabled by default. We need to add this into the port somehow. Mozilla's {,old-}configure's detection logic for this may be dodgy, though.
The compile-time option for this has not been documented apart from sqlite3.c, but digging through there reveals we just need to add CPPFLAGS+=-DSQLITE_DEFAULT_DEFENSIVE.
(In reply to Charlie Li from comment #8) Thanks for the report Charlie. This issue is strictly regarding the version update, please create a separate issue for this under www/firefox: Requires SQLite SQLITE_DBCONFIG_DEFENSIVE and cc the databases/sqlite3 maintainer, so that the issue can be considered and addressed independently. Feel free to See Also: and Blocks: the main Magellan issue: bug 234112 in the new bug (In reply to Charlie Li from comment #8) Hello. SQLITE_DBCONFIG_DEFENSIVE - it is do not compilation flag. (See: https://sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive) It's constant. Configuration option for sqlite3_db_config() interface. You may used it with program products, that use sqlite. This port does not require additional changes. Thanks. (In reply to Pavel Volkov from comment #10) Mozilla upstream reverted the check for now, as it is incorrect as you mentioned. However, there is a SQLITE_DEFAULT_DEFENSIVE compile-time option that sqlite upstream hasn't documented yet. When Mozilla decides to re-add the check correctly, a new issue will be opened. https://bugzilla.mozilla.org/show_bug.cgi?id=1514683 Missed 2018Q4 MFH window (new 2019Q1 created) |
