Bug 247149 - Multiple sqlite3 vulnerabilities (ports and base)
Summary: Multiple sqlite3 vulnerabilities (ports and base)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Security Team
URL: https://www.sqlite.org/changes.html
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2020-06-10 16:45 UTC by rob2g2
Modified: 2020-07-08 15:28 UTC (History)
13 users (show)

See Also:
koobs: maintainer-feedback+
koobs: maintainer-feedback? (secteam)
koobs: merge-quarterly+


Attachments
vuxml patch to inform users about sqlite3 issues (1.48 KB, patch)
2020-06-10 16:45 UTC, rob2g2
no flags Details | Diff
correct most recent sqlite3 entry (455 bytes, patch)
2020-06-25 13:42 UTC, rob2g2
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2020-06-10 16:45:30 UTC
Created attachment 215423 [details]
vuxml patch to inform users about sqlite3 issues

sqlite3 released version 3.32 fixing various vulnerabilities
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-12 01:11:47 UTC
Thank you for the report.

Presumably this affects sqlite in base as well?
Comment 2 Cy Schubert freebsd_committer 2020-06-12 01:53:13 UTC
Yes.

The updated port is compiling here.

Working on the vendor branch import.
Comment 3 Cy Schubert freebsd_committer 2020-06-12 01:59:13 UTC
Vendor import is done.

Port builds cleanly. Should I commit the port now or when base is committed?
Comment 4 Cy Schubert freebsd_committer 2020-06-12 02:06:08 UTC
universe13b will do the heavy lifting.
Comment 5 Cy Schubert freebsd_committer 2020-06-12 02:13:42 UTC
The URL in the patch is about GIT.

The port is commmitted to my git repo. I prefer to have an approved by before I push it to svn.
Comment 6 commit-hook freebsd_committer 2020-06-12 13:03:10 UTC
A commit references this bug:

Author: cy
Date: Fri Jun 12 13:02:46 UTC 2020
New revision: 362095
URL: https://svnweb.freebsd.org/changeset/base/362095

Log:
  MFV r362082:

  Update sqlite3 3.31.1 --> 3.32.0.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Reminded by:	emaste
  MFC after:	3 days
  Security:	CVE-2020-11655, CVE-2020-13434, CVE-2020-13435,
  		CVE-2020-13630, CVE-2020-13631, CVE-2020-13632

Changes:
_U  head/contrib/sqlite3/
  head/contrib/sqlite3/Makefile.msc
  head/contrib/sqlite3/configure
  head/contrib/sqlite3/configure.ac
  head/contrib/sqlite3/shell.c
  head/contrib/sqlite3/sqlite3.c
  head/contrib/sqlite3/sqlite3.h
  head/contrib/sqlite3/sqlite3ext.h
  head/contrib/sqlite3/tea/configure
  head/contrib/sqlite3/tea/configure.ac
  head/contrib/sqlite3/tea/generic/tclsqlite3.c
Comment 7 commit-hook freebsd_committer 2020-06-12 13:03:14 UTC
A commit references this bug:

Author: cy
Date: Fri Jun 12 13:02:53 UTC 2020
New revision: 538614
URL: https://svnweb.freebsd.org/changeset/ports/538614

Log:
  Update 3.31.1 --> 3.32.0

  Address multiple security vulnerabilities.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Reminded by:	emaste
  Approved by:    Approved by: portmgr (blanket: security bugfix)
  MFH:		2020Q2
  Security:	CVE-2020-11655, CVE-2020-13434, CVE-2020-13435,
  		CVE-2020-13630, CVE-2020-13631, CVE-2020-13632

Changes:
  head/databases/sqlite3/Makefile
  head/databases/sqlite3/distinfo
  head/databases/sqlite3/files/patch-sqlite3.c
Comment 8 Cy Schubert freebsd_committer 2020-06-12 16:45:28 UTC
The vuxml patch needs a bit of cleanup too.
Comment 9 commit-hook freebsd_committer 2020-06-13 04:43:43 UTC
A commit references this bug:

Author: cy
Date: Sat Jun 13 04:43:35 UTC 2020
New revision: 538637
URL: https://svnweb.freebsd.org/changeset/ports/538637

Log:
  Document multiple sqlite3 vulnerabilities with CVSS scores ranging
  from 5.5 (medium) to 7.5 (high).

  PR:		247149

Changes:
  head/security/vuxml/vuln.xml
Comment 10 Cy Schubert freebsd_committer 2020-06-13 04:45:48 UTC
sqlite3 3.32.0 will not fix all of the CVEs. 3.32.2 will be committed.
Comment 11 commit-hook freebsd_committer 2020-06-13 04:48:56 UTC
A commit references this bug:

Author: cy
Date: Sat Jun 13 04:48:16 UTC 2020
New revision: 362145
URL: https://svnweb.freebsd.org/changeset/base/362145

Log:
  MFV r362143:

  Update sqlite3 to 3.32.2 (3320200).

  CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of
  service (segmentation fault) via a malformed window-function query because
  the AggInfo object's initialization is mishandled.

  CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in
  sqlite3_str_vappendf in printf.c.

  CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in
  sqlite3ExprCodeTarget in expr.c.

  CVE-2020-13630: ext/fts3/fts3.c in SQLite before 3.32.0 has a
  use-after-free in fts3EvalNextRow, related to the snippet feature

  CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed
  to the name of one of its shadow tables, related to alter.c and build.c.

  CVE-2020-13632: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 ha s a
  NULL pointer dereference via a crafted matchinfo() query.

  PR:		247149
  Reported by:	spam123@bitbert.com
  MFC after:	3 days
  Security:	vuxml: c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3
  		https://nvd.nist.gov/vuln/detail/CVE-2020-11655
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13434
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13435
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13630
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13631
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13632

Changes:
_U  head/contrib/sqlite3/
  head/contrib/sqlite3/configure
  head/contrib/sqlite3/configure.ac
  head/contrib/sqlite3/shell.c
  head/contrib/sqlite3/sqlite3.c
  head/contrib/sqlite3/sqlite3.h
  head/contrib/sqlite3/tea/configure
  head/contrib/sqlite3/tea/configure.ac
Comment 12 commit-hook freebsd_committer 2020-06-15 03:11:06 UTC
A commit references this bug:

Author: cy
Date: Mon Jun 15 03:10:57 UTC 2020
New revision: 362190
URL: https://svnweb.freebsd.org/changeset/base/362190

Log:
  MFC r362095, r362145

  r362095:
  MFV r362082:

  Update sqlite3 3.31.1 --> 3.32.0.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Reminded by:	emaste
  Security:	CVE-2020-11655, CVE-2020-13434, CVE-2020-13435,
  		CVE-2020-13630, CVE-2020-13631, CVE-2020-13632

  r362145:
  MFV r362143:

  Update sqlite3 to 3.32.2 (3320200).

  CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of
  service (segmentation fault) via a malformed window-function query because
  the AggInfo object's initialization is mishandled.

  CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in
  sqlite3_str_vappendf in printf.c.

  CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in
  sqlite3ExprCodeTarget in expr.c.

  CVE-2020-13630: ext/fts3/fts3.c in SQLite before 3.32.0 has a
  use-after-free in fts3EvalNextRow, related to the snippet feature

  CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed
  to the name of one of its shadow tables, related to alter.c and build.c.

  CVE-2020-13632: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 ha s a
  NULL pointer dereference via a crafted matchinfo() query.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Security:	vuxml: c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3
  		https://nvd.nist.gov/vuln/detail/CVE-2020-11655
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13434
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13435
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13630
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13631
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13632

Changes:
_U  stable/11/
  stable/11/contrib/sqlite3/Makefile.msc
  stable/11/contrib/sqlite3/configure
  stable/11/contrib/sqlite3/configure.ac
  stable/11/contrib/sqlite3/shell.c
  stable/11/contrib/sqlite3/sqlite3.c
  stable/11/contrib/sqlite3/sqlite3.h
  stable/11/contrib/sqlite3/sqlite3ext.h
  stable/11/contrib/sqlite3/tea/configure
  stable/11/contrib/sqlite3/tea/configure.ac
  stable/11/contrib/sqlite3/tea/generic/tclsqlite3.c
_U  stable/12/
  stable/12/contrib/sqlite3/Makefile.msc
  stable/12/contrib/sqlite3/configure
  stable/12/contrib/sqlite3/configure.ac
  stable/12/contrib/sqlite3/shell.c
  stable/12/contrib/sqlite3/sqlite3.c
  stable/12/contrib/sqlite3/sqlite3.h
  stable/12/contrib/sqlite3/sqlite3ext.h
  stable/12/contrib/sqlite3/tea/configure
  stable/12/contrib/sqlite3/tea/configure.ac
  stable/12/contrib/sqlite3/tea/generic/tclsqlite3.c
Comment 13 commit-hook freebsd_committer 2020-06-15 03:11:11 UTC
A commit references this bug:

Author: cy
Date: Mon Jun 15 03:10:57 UTC 2020
New revision: 362190
URL: https://svnweb.freebsd.org/changeset/base/362190

Log:
  MFC r362095, r362145

  r362095:
  MFV r362082:

  Update sqlite3 3.31.1 --> 3.32.0.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Reminded by:	emaste
  Security:	CVE-2020-11655, CVE-2020-13434, CVE-2020-13435,
  		CVE-2020-13630, CVE-2020-13631, CVE-2020-13632

  r362145:
  MFV r362143:

  Update sqlite3 to 3.32.2 (3320200).

  CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of
  service (segmentation fault) via a malformed window-function query because
  the AggInfo object's initialization is mishandled.

  CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in
  sqlite3_str_vappendf in printf.c.

  CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in
  sqlite3ExprCodeTarget in expr.c.

  CVE-2020-13630: ext/fts3/fts3.c in SQLite before 3.32.0 has a
  use-after-free in fts3EvalNextRow, related to the snippet feature

  CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed
  to the name of one of its shadow tables, related to alter.c and build.c.

  CVE-2020-13632: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 ha s a
  NULL pointer dereference via a crafted matchinfo() query.

  PR:		247149
  Reported by:	spam123@bitbert.com
  Security:	vuxml: c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3
  		https://nvd.nist.gov/vuln/detail/CVE-2020-11655
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13434
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13435
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13630
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13631
  		https://nvd.nist.gov/vuln/detail/CVE-2020-13632

Changes:
_U  stable/11/
  stable/11/contrib/sqlite3/Makefile.msc
  stable/11/contrib/sqlite3/configure
  stable/11/contrib/sqlite3/configure.ac
  stable/11/contrib/sqlite3/shell.c
  stable/11/contrib/sqlite3/sqlite3.c
  stable/11/contrib/sqlite3/sqlite3.h
  stable/11/contrib/sqlite3/sqlite3ext.h
  stable/11/contrib/sqlite3/tea/configure
  stable/11/contrib/sqlite3/tea/configure.ac
  stable/11/contrib/sqlite3/tea/generic/tclsqlite3.c
_U  stable/12/
  stable/12/contrib/sqlite3/Makefile.msc
  stable/12/contrib/sqlite3/configure
  stable/12/contrib/sqlite3/configure.ac
  stable/12/contrib/sqlite3/shell.c
  stable/12/contrib/sqlite3/sqlite3.c
  stable/12/contrib/sqlite3/sqlite3.h
  stable/12/contrib/sqlite3/sqlite3ext.h
  stable/12/contrib/sqlite3/tea/configure
  stable/12/contrib/sqlite3/tea/configure.ac
  stable/12/contrib/sqlite3/tea/generic/tclsqlite3.c
Comment 14 PauAmma 2020-06-22 11:11:18 UTC
Any idea when this will be available for people who prefer to track -RELEASE-p<n> versions? It's been over a week since I first saw a mention of it in my daily emails. (On 12.1-RELEASE-p6 here currently.)
Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-22 11:38:47 UTC
Ports updates have been committed to head and merged to quarterly

base changes have been committed to head and merged to stable12 and stable11

^Triage: Over to secteam@, pending Security Advisory (SA) and release bits.
Comment 16 Einar Bjarni Halldórsson 2020-06-24 08:56:02 UTC
I have servers who don't report vulnerable packages:

$ pkg info|grep sqlite3
sqlite3-3.31.1_1,1

$ pkg search sqlite3
sqlite3-3.32.2,1

$ pkg audit
0 problem(s) in 0 installed package(s) found.

$ freebsd-version
12.1-RELEASE-p4
Comment 17 rob2g2 2020-06-24 09:08:40 UTC
I can acknowledge this, my systems also show "0 problems" with "pkg audit -F" although they are vulnerable (pkg and base)
Comment 18 Dan Langille freebsd_committer 2020-06-24 17:08:26 UTC
On my systems, /usr/local/etc/periodic/security/405.pkg-base-audit has been reporting:

FreeBSD-12.1_6 is vulnerable:
several security issues in sqlite3

for 11 days now.

The fixes have not trickled through to 12.1-RELEASE yet.
Comment 19 Niclas Zeising freebsd_committer 2020-06-25 11:31:33 UTC
The package version of the sqlite entry in vuln.xml is wrong.  It has to be 3.32.2,1, including PORTEPOCH.  Otherwise the pkg version match stuff will think that 3.32.2,1 is > than 3.32.2, which is the version of the package marked vulnerable.
Comment 20 rob2g2 2020-06-25 13:42:21 UTC
Created attachment 215933 [details]
correct most recent sqlite3 entry

the one-line diff
Comment 21 commit-hook freebsd_committer 2020-06-25 19:27:12 UTC
A commit references this bug:

Author: zeising
Date: Thu Jun 25 19:26:24 UTC 2020
New revision: 540402
URL: https://svnweb.freebsd.org/changeset/ports/540402

Log:
  vuln.xml: Adjust sqlite version in sqlite entry

  Update the sqlite versions affected in the latest sqlite entry.  The entry
  failed to take PORTEPOCH into account, and without this fix pkg audit fails
  to mark sqlite as vulnerable when it's not updated to the latest version,
  since any version with PORTEPOCH set will always be greater than any version
  without.

  PR:		247149

Changes:
  head/security/vuxml/vuln.xml
Comment 22 Dan Langille freebsd_committer 2020-06-25 20:41:44 UTC
(In reply to commit-hook from comment #21)
With that commit, my hosts are now correctly reporting that my installed sqlite3-3.31.1_1,1 is vulnerable

Thank you.

I'm hoping this fix makes it into freebsd-update so this can be cleared:

[dan@r720-01:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Thu Jun 25 20:37:32 UTC 2020
0 problem(s) in 0 installed package(s) found.
FreeBSD-12.1_6 is vulnerable:
several security issues in sqlite3
CVE: CVE-2020-13632
CVE: CVE-2020-13631
CVE: CVE-2020-13630
CVE: CVE-2020-13435
CVE: CVE-2020-13434
CVE: CVE-2020-11655
WWW: https://vuxml.FreeBSD.org/freebsd/c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3.html

1 problem(s) in 1 installed package(s) found.
Comment 23 PauAmma 2020-07-02 19:02:19 UTC
Any update? It's been over 3 weeks and I'd really like not to train myself to ignore daily reports of security problems in base, but I don't have the resources to track and compile 12-STABLE, so I'm stuck. :-(
Comment 24 Dan Langille freebsd_committer 2020-07-02 19:53:43 UTC
Alert fatigue is real.
Comment 25 VVD 2020-07-03 18:56:12 UTC
When in releng/{11.3,11.4,12.1}?
Comment 26 Philip Paeps freebsd_committer 2020-07-04 02:18:53 UTC
We can include this in the next batch of security advisories / errata.

(hat: security-officer secretary)
Comment 27 PauAmma 2020-07-04 02:33:56 UTC
(In reply to Philip Paeps from comment #26)
So, obvious question there: when is that next batch planned for?
Comment 28 Philip Paeps freebsd_committer 2020-07-04 02:40:12 UTC
Current thinking is next Tuesday.
Comment 29 PauAmma 2020-07-08 12:02:57 UTC
(In reply to Philip Paeps from comment #28)
Any update?
Comment 30 Philip Paeps freebsd_committer 2020-07-08 15:28:34 UTC
I was premature.  This slipped into the next batch.  I'm sorry.  We'll push these fixes as soon as possible.