Bug 233712 - databases/sqlite3: Update to 3.26.0
Summary: databases/sqlite3: Update to 3.26.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Steve Wills
URL: https://www.sqlite.org/releaselog/3_2...
Keywords: needs-qa, security
Depends on:
Blocks: 234112 233713 233791
  Show dependency treegraph
 
Reported: 2018-12-02 09:28 UTC by Pavel Volkov
Modified: 2019-01-02 04:48 UTC (History)
7 users (show)

See Also:
koobs: maintainer-feedback? (ports-secteam)
koobs: merge-quarterly-


Attachments
patch (3.03 KB, patch)
2018-12-02 09:28 UTC, Pavel Volkov
pavelivolkov: maintainer-approval+
Details | Diff
build log (19.31 KB, text/plain)
2018-12-02 09:29 UTC, Pavel Volkov
no flags Details
portlint log (25.85 KB, text/plain)
2018-12-02 09:30 UTC, Pavel Volkov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Volkov 2018-12-02 09:28:38 UTC
Created attachment 199735 [details]
patch

1. New version 3.26.0. Changes log may be found on URL https://www.sqlite.org/releaselog/3_26_0.html
2. Reordered directives on the Makefile.
3. Added new option 'NORMALIZE'.
Comment 1 Pavel Volkov 2018-12-02 09:29:59 UTC
Created attachment 199736 [details]
build log
Comment 2 Pavel Volkov 2018-12-02 09:30:24 UTC
Created attachment 199737 [details]
portlint log
Comment 3 Pavel Volkov 2018-12-02 09:36:04 UTC
This bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232248 is outdated.
Comment 4 Nathan 2018-12-02 16:01:04 UTC
(In reply to Pavel Volkov from comment #3)
You could have edited the older PR for this, instead of opening a new one. For now, close the older one
Comment 5 commit-hook freebsd_committer 2018-12-04 18:02:36 UTC
A commit references this bug:

Author: swills
Date: Tue Dec  4 18:02:14 UTC 2018
New revision: 486622
URL: https://svnweb.freebsd.org/changeset/ports/486622

Log:
  databases/sqlite3: Update to 3.26.0

  PR:		233712
  Submitted by:	Pavel Volkov <pavelivolkov@gmail.com> (maintainer)

Changes:
  head/databases/sqlite3/Makefile
  head/databases/sqlite3/distinfo
  head/databases/sqlite3/files/
Comment 6 Steve Wills freebsd_committer 2018-12-04 18:03:21 UTC
Committed, thanks!
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-17 07:22:28 UTC
Tencent Blade announced an SQLite vulnerability [1] "Magellan" a number of days ago, citing an RCE (primary example vector: Chromium).

Within the announcement, they say "If your product uses SQLite, please update to 3.26.0".

SQLite's changelog [2] was not obvious when it came to declaring the existence of, the source or nature of the vulnerability, so ports r486622 (3.26.0 update to head) was not / has not yet been merged to quarterly. 

[1] https://blade.tencent.com/magellan/index_en.html
[2] https://www.sqlite.org/releaselog/3_26_0.html
Comment 8 Charlie Li 2018-12-21 04:42:24 UTC
Firefox builds now check to see if the new SQLITE_DBCONFIG_DEFENSIVE is enabled by default. We need to add this into the port somehow. Mozilla's {,old-}configure's detection logic for this may be dodgy, though.

The compile-time option for this has not been documented apart from sqlite3.c, but digging through there reveals we just need to add CPPFLAGS+=-DSQLITE_DEFAULT_DEFENSIVE.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2018-12-21 05:32:35 UTC
(In reply to Charlie Li from comment #8)

Thanks for the report Charlie. This issue is strictly regarding the version update, please create a separate issue for this under www/firefox: Requires SQLite SQLITE_DBCONFIG_DEFENSIVE and cc the databases/sqlite3 maintainer, so that the issue can be considered and addressed independently.

Feel free to See Also: and Blocks: the main Magellan issue: bug 234112 in the new bug
Comment 10 Pavel Volkov 2018-12-22 11:03:20 UTC
(In reply to Charlie Li from comment #8)
Hello.
SQLITE_DBCONFIG_DEFENSIVE - it is do not compilation flag. (See: https://sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive)
It's constant. Configuration option for sqlite3_db_config() interface.
You may used it with program products, that use sqlite.
This port does not require additional changes.
Thanks.
Comment 11 Charlie Li 2018-12-22 11:10:36 UTC
(In reply to Pavel Volkov from comment #10)
Mozilla upstream reverted the check for now, as it is incorrect as you mentioned. However, there is a SQLITE_DEFAULT_DEFENSIVE compile-time option that sqlite upstream hasn't documented yet. When Mozilla decides to re-add the check correctly, a new issue will be opened.

https://bugzilla.mozilla.org/show_bug.cgi?id=1514683
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2019-01-02 04:48:01 UTC
Missed 2018Q4 MFH window (new 2019Q1 created)