XPost: linux.debian.devel.release
Package: release.debian.org
Severity: normal
User:
release.debian.org@packages.debian.org
Usertags: unblock
Control: affects -1 + src:sqlite3
Hi RMs,
Please pre-approve unblocking of package sqlite3.
[ Reason ]
There is a bug that in a special case invalid data to be used for a
column. It isn't seen in the wild, found by the Chromium fuzzer.
For some reason upstream turned off recovery support by default for a
long time. It was active in Bullseye, but not in Bookworm nor in
Trixie.
[ Impact ]
The column handling bug is considered important and fixed by upstream,
but the details of the possible exploit is not yet made public [1].
That is, I can't declare the importance of the fix, but I say it is
better to have this.
The recovery support needs a compile option to be added and as it's
exposed to outside, a new library symbol is being added.
[ Tests ]
Tested by myself on my box running Trixie and even backported to my
Bookworm one. There's no issues.
[ Risks ]
Fairly low if any. The fix is a minimal change and while the recovery
support exposes some internal data to the user it is for the specific
reason.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Regards,
Laszlo/GCS
[1]
https://issues.chromium.org/issues/415397143
ZGlmZiAtTnJ1IHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9jaGFuZ2Vsb2cgc3FsaXRlMy0zLjQ2LjEv ZGViaWFuL2NoYW5nZWxvZwotLS0gc3FsaXRlMy0zLjQ2LjEvZGViaWFuL2NoYW5nZWxvZwkyMDI1 LTA0LTE4IDE5OjMzOjMwLjAwMDAwMDAwMCArMDIwMAorKysgc3FsaXRlMy0zLjQ2LjEvZGViaWFu L2NoYW5nZWxvZwkyMDI1LTA1LTI0IDE1OjM2OjE3LjAwMDAwMDAwMCArMDIwMApAQCAtMSwzICsx LDEzIEBACitzcWxpdGUzICgzLjQ2LjEtNSkgdW5zdGFibGU7IHVyZ2VuY3k9bWVkaXVtCisKKyAg KiBCYWNrcG9ydCB1cHN0cmVhbSBmaXggZm9yIGEgYnVnIGluIHRoZSBOT1QgTlVMTC9JUyBOVUxM IG9wdGltaXphdGlvbiB0aGF0CisgICAgY2FuIGNhdXNlIGludmFsaWQgZGF0YSB0byBiZSB1c2Vk IGZvciBhIGNvbHVtbiBpZiB0aGF0IGNvbHVtbiBoYXMgYSBDSEVDSworICAgIGNvbnN0cmFpbnQg dGhhdCBpbmNsdWRlcyB0aGUgTk9UIE5VTEwgb3IgSVMgTlVMTCBvcGVyYXRvci4KKyAgKiBFbmFi bGUgdGhlIFNRTElURV9EQlBBR0UgZXh0ZW5zaW9uIChjbG9zZXM6ICMxMDk5NTQyKS4KKyAgKiBV cGRhdGUgc3ltYm9scyBmaWxlLgorCisgLS0gTGFzemxvIEJvc3pvcm1lbnlpIChHQ1MpIDxnY3NA ZGViaWFuLm9yZz4gIFNhdCwgMjQgTWF5IDIwMjUgMTU6MzY6MTcgKzAyMDAKKwogc3FsaXRlMyAo My40Ni4xLTQpIHVuc3RhYmxlOyB1cmdlbmN5PWhpZ2gKIAogICAqIEJhY2twb3J0IHVwc3RyZWFt IHNlY3VyaXR5IGZpeCBmb3IgQ1ZFLTIwMjUtMjkwODg6IGNlcnRhaW4gYXJndW1lbnQKZGlmZiAt TnJ1IHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9saWJzcWxpdGUzLTAuc3ltYm9scyBzcWxpdGUzLTMu NDYuMS9kZWJpYW4vbGlic3FsaXRlMy0wLnN5bWJvbHMKLS0tIHNxbGl0ZTMtMy40Ni4xL2RlYmlh bi9saWJzcWxpdGUzLTAuc3ltYm9scwkyMDI0LTA1LTMwIDE5OjM3OjAyLjAwMDAwMDAwMCArMDIw MAorKysgc3FsaXRlMy0zLjQ2LjEvZGViaWFuL2xpYnNxbGl0ZTMtMC5zeW1ib2xzCTIwMjUtMDUt MjQgMTU6MzY6MTcuMDAwMDAwMDAwICswMjAwCkBAIC0xOTcsNiArMTk3LDcgQEAKICBzcWxpdGUz RGJTcGFuRHVwQEJhc2UgMy4zNy4wCiAgc3FsaXRlM0RiU3RyRHVwQEJhc2UgMy4zNy4wCiAgc3Fs aXRlM0RiU3RyTkR1cEBCYXNlIDMuMzcuMAorIHNxbGl0ZTNEYnBhZ2VSZWdpc3RlckBCYXNlIDMu NDYuMQogIHNxbGl0ZTNEYnN0YXRSZWdpc3RlckBCYXNlIDMuMzcuMAogIHNxbGl0ZTNEZWNPckhl eFRvSTY0QEJhc2UgMy4zNy4wCiAgc3FsaXRlM0RlZmF1bHRNdXRleEBCYXNlIDMuMzcuMApkaWZm IC1OcnUgc3FsaXRlMy0zLjQ2LjEvZGViaWFuL3BhdGNoZXMvNDEtZml4X2FfYnVnX2luX3RoZV9O T1RfTlVMTC1JU19OVUxMX29wdGltaXphdGlvbi5wYXRjaCBzcWxpdGUzLTMuNDYuMS9kZWJpYW4v cGF0Y2hlcy80MS1maXhfYV9idWdfaW5fdGhlX05PVF9OVUxMLUlTX05VTExfb3B0aW1pemF0aW9u LnBhdGNoCi0tLSBzcWxpdGUzLTMuNDYuMS9kZWJpYW4vcGF0Y2hlcy80MS1maXhfYV9idWdfaW5f dGhlX05PVF9OVUxMLUlTX05VTExfb3B0aW1pemF0aW9uLnBhdGNoCTE5NzAtMDEtMDEgMDE6MDA6 MDAuMDAwMDAwMDAwICswMTAwCisrKyBzcWxpdGUzLTMuNDYuMS9kZWJpYW4vcGF0Y2hlcy80MS1m aXhfYV9idWdfaW5fdGhlX05PVF9OVUxMLUlTX05VTExfb3B0aW1pemF0aW9uLnBhdGNoCTIwMjUt MDUtMjQgMTU6MzY6MTcuMDAwMDAwMDAwICswMjAwCkBAIC0wLDAgKzEsNTggQEAKK0luZGV4OiBz cWxpdGUzL3NyYy9leHByLmMKKz09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQorLS0tIHNxbGl0ZTMvc3JjL2V4cHIuYworKysr IHNxbGl0ZTMvc3JjL2V4cHIuYworQEAgLTU3MzUsMTUgKzU3MzUsMTUgQEAKKyAgICAgY2FzZSBU S19JU05VTEw6CisgICAgIGNhc2UgVEtfTk9UTlVMTDogeworICAgICAgIGFzc2VydCggVEtfSVNO VUxMPT1PUF9Jc051bGwgKTsgICB0ZXN0Y2FzZSggb3A9PVRLX0lTTlVMTCApOworICAgICAgIGFz c2VydCggVEtfTk9UTlVMTD09T1BfTm90TnVsbCApOyB0ZXN0Y2FzZSggb3A9PVRLX05PVE5VTEwg KTsKKyAgICAgICByMSA9IHNxbGl0ZTNFeHByQ29kZVRlbXAocFBhcnNlLCBwRXhwci0+cExlZnQs ICZyZWdGcmVlMSk7CistICAgICAgc3FsaXRlM1ZkYmVUeXBlb2ZDb2x1bW4odiwgcjEpOworKyAg ICAgIGFzc2VydCggcmVnRnJlZTE9PTAgfHwgcmVnRnJlZTE9PXIxICk7CisrICAgICAgaWYoIHJl Z0ZyZWUxICkgc3FsaXRlM1ZkYmVUeXBlb2ZDb2x1bW4odiwgcjEpOworICAgICAgIHNxbGl0ZTNW ZGJlQWRkT3AyKHYsIG9wLCByMSwgZGVzdCk7CisgICAgICAgVmRiZUNvdmVyYWdlSWYodiwgb3A9 PVRLX0lTTlVMTCk7CisgICAgICAgVmRiZUNvdmVyYWdlSWYodiwgb3A9PVRLX05PVE5VTEwpOwor LSAgICAgIHRlc3RjYXNlKCByZWdGcmVlMT09MCApOworICAgICAgIGJyZWFrOworICAgICB9Cisg ICAgIGNhc2UgVEtfQkVUV0VFTjogeworICAgICAgIHRlc3RjYXNlKCBqdW1wSWZOdWxsPT0wICk7 CisgICAgICAgZXhwckNvZGVCZXR3ZWVuKHBQYXJzZSwgcEV4cHIsIGRlc3QsIHNxbGl0ZTNFeHBy SWZUcnVlLCBqdW1wSWZOdWxsKTsKK0BAIC01OTEwLDE1ICs1OTEwLDE1IEBACisgICAgICAgYnJl YWs7CisgICAgIH0KKyAgICAgY2FzZSBUS19JU05VTEw6CisgICAgIGNhc2UgVEtfTk9UTlVMTDog eworICAgICAgIHIxID0gc3FsaXRlM0V4cHJDb2RlVGVtcChwUGFyc2UsIHBFeHByLT5wTGVmdCwg JnJlZ0ZyZWUxKTsKKy0gICAgICBzcWxpdGUzVmRiZVR5cGVvZkNvbHVtbih2LCByMSk7CisrICAg ICAgYXNzZXJ0KCByZWdGcmVlMT09MCB8fCByZWdGcmVlMT09cjEgKTsKKysgICAgICBpZiggcmVn RnJlZTEgKSBzcWxpdGUzVmRiZVR5cGVvZkNvbHVtbih2LCByMSk7CisgICAgICAgc3FsaXRlM1Zk YmVBZGRPcDIodiwgb3AsIHIxLCBkZXN0KTsKKyAgICAgICB0ZXN0Y2FzZSggb3A9PVRLX0lTTlVM TCApOyAgIFZkYmVDb3ZlcmFnZUlmKHYsIG9wPT1US19JU05VTEwpOworICAgICAgIHRlc3RjYXNl KCBvcD09VEtfTk9UTlVMTCApOyAgVmRiZUNvdmVyYWdlSWYodiwgb3A9PVRLX05PVE5VTEwpOwor LSAgICAgIHRlc3RjYXNlKCByZWdGcmVlMT09MCApOworICAgICAgIGJyZWFrOworICAgICB9Cisg ICAgIGNhc2UgVEtfQkVUV0VFTjogeworICAgICAgIHRlc3RjYXNlKCBqdW1wSWZOdWxsPT0wICk7 CisgICAgICAgZXhwckNvZGVCZXR3ZWVuKHBQYXJzZSwgcEV4cHIsIGRlc3QsIHNxbGl0ZTNFeHBy SWZGYWxzZSwganVtcElmTnVsbCk7CisKK0luZGV4OiBzcWxpdGUzL3NyYy92ZGJlLmMKKz09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQorLS0tIHNxbGl0ZTMvc3JjL3ZkYmUuYworKysrIHNxbGl0ZTMvc3JjL3ZkYmUuYworQEAg LTM2NzksMTAgKzM2NzksMTEgQEAKKyAgICAgICB9CisgICAgIH1lbHNleworICAgICAgIHpIZHIg Kz0gc3FsaXRlM1B1dFZhcmludCh6SGRyLCBzZXJpYWxfdHlwZSk7CisgICAgICAgaWYoIHBSZWMt Pm4gKXsKKyAgICAgICAgIGFzc2VydCggcFJlYy0+eiE9MCApOworKyAgICAgICAgYXNzZXJ0KCBw UmVjLT56IT0oY29uc3QgY2hhciopc3FsaXRlM0N0eXBlTWFwICk7CisgICAgICAgICBtZW1jcHko elBheWxvYWQsIHBSZWMtPnosIHBSZWMtPm4pOworICAgICAgICAgelBheWxvYWQgKz0gcFJlYy0+ bjsKKyAgICAgICB9CisgICAgIH0KKyAgICAgaWYoIHBSZWM9PXBMYXN0ICkgYnJlYWs7CisKZGlm ZiAtTnJ1IHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9wYXRjaGVzL3NlcmllcyBzcWxpdGUzLTMuNDYu MS9kZWJpYW4vcGF0Y2hlcy9zZXJpZXMKLS0tIHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9wYXRjaGVz L3NlcmllcwkyMDI1LTA0LTE4IDE5OjMzOjMwLjAwMDAwMDAwMCArMDIwMAorKysgc3FsaXRlMy0z LjQ2LjEvZGViaWFuL3BhdGNoZXMvc2VyaWVzCTIwMjUtMDUtMjQgMTU6MzY6MTcuMDAwMDAwMDAw ICswMjAwCkBAIC03LDUgKzcsNiBAQAogMzItZHluYW1pY19saW5rLnBhdGNoCiAwMi11c2UtcGFj a2FnZWQtbGVtcGFyLmMucGF0Y2gKIDQwLWFtYWxnYW1hdGlvbl9jb25maWd1cmUucGF0Y2gKKzQx LWZpeF9hX2J1Z19pbl90aGVfTk9UX05VTEwtSVNfTlVMTF9vcHRpbWl6YXRpb24ucGF0Y2gKIDUw LUNWRS0yMDI1LTI5MDg3LnBhdGNoCiA1MS1DVkUtMjAyNS0yOTA4OC5wYXRjaApkaWZmIC1OcnUg c3FsaXRlMy0zLjQ2LjEvZGViaWFuL3J1bGVzIHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9ydWxlcwot LS0gc3FsaXRlMy0zLjQ2LjEvZGViaWFuL3J1bGVzCTIwMjUtMDMtMDQgMTg6MTE6MDAuMDAwMDAw MDAwICswMTAwCisrKyBzcWxpdGUzLTMuNDYuMS9kZWJpYW4vcnVsZXMJMjAyNS0wNS0yNCAxNToz NjoxNy4wMDAwMDAwMDAgKzAyMDAKQEAgLTQ2LDYgKzQ2LDcgQEAKIAktRFNRTElURV9FTkFCTEVf UlRSRUU9MSAtRFNRTElURV9TT1VOREVYPTEgXAogCS1EU1FMSVRFX0VOQUJMRV9VTkxPQ0tfTk9U SUZZIFwKIAktRFNRTElURV9FTkFCTEVfREJTVEFUX1ZUQUIgXAorCS1EU1FMSVRFX0VOQUJMRV9E QlBBR0VfVlRBQiBcCiAJLURTUUxJVEVfQUxMT1dfUk9XSURfSU5fVklFVyBcCiAJLURTUUxJVEVf RU5BQkxFX1VQREFURV9ERUxFVEVfTElNSVQ9MSBcCiAJLURTUUxJVEVfRU5BQkxFX0xPQURfRVhU RU5TSU9OIFwK
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)