From owner-freebsd-security@freebsd.org Sun Dec 16 16:14:08 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A5131330F07; Sun, 16 Dec 2018 16:14:08 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46E8C8D443; Sun, 16 Dec 2018 16:14:07 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 601D4661BE; Sun, 16 Dec 2018 08:13:59 -0800 (PST) Date: Sun, 16 Dec 2018 08:13:59 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org cc: ports-secteam@FreeBSD.org Subject: SQLite vulnerability Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Rspamd-Queue-Id: 46E8C8D443 X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.74 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.95)[0.949,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.97)[0.965,0]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[mx4.roble.com,mx7.roble.com]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.96)[0.956,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; FORGED_RECIPIENTS(0.00)[freebsd-security@freebsd.org ..,freebsd-security@freebsd.org ...]; IP_SCORE(-0.02)[country: US(-0.08)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2018 16:14:08 -0000 Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all over the news for a week now. It is patched on all Linux platforms but has not yet shown up in FreeBSD's vulxml database. Does this mean: A) FreeBSD versions prior to 3.26.0 are not vulnerable, or B) the ports-secteam is not able to properly maintain the vulnerability database? If the latter perhaps someone from the security team could let us know how such a significant vulnerability could go unflagged for so long and, more importantly, what might be done to address the gap in reporting? Roger Marquis From owner-freebsd-security@freebsd.org Sun Dec 16 20:20:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 002CF1339E3F; Sun, 16 Dec 2018 20:20:36 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 54C03956BB; Sun, 16 Dec 2018 20:20:36 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 9332867B54; Sun, 16 Dec 2018 12:20:34 -0800 (PST) Date: Sun, 16 Dec 2018 12:20:34 -0800 (PST) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: SQLite vulnerability In-Reply-To: <473172DA-7F1E-42EB-8E0B-53122E13E84E@elvandar.org> Message-ID: References: <473172DA-7F1E-42EB-8E0B-53122E13E84E@elvandar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 54C03956BB X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.63 / 15.00]; ARC_NA(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.80)[0.796,0]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.99)[0.989,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx4.roble.com]; NEURAL_SPAM_LONG(0.97)[0.968,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.02)[country: US(-0.08)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2018 20:20:37 -0000 > It?s sad to see that you are still as negative as you where not that long > ago. Apologies for being negative Remko, but isn't it the implications for those running FreeBSD that are negative rather than someone pointing them out? Or do we have different interpretations of the scope or threat profile of this particular issue? (considering that sqlite has been installed by default on every FreeBSD host and jail for a few years now) > I said before that If you rely on the information being up to date, you > should sponsor the FF or pay someone to do the work for you. You keep > forgetting that we (security-officer@ and ports-secteam@) are volunteers > and that we do this in our free spare time. This is a good answer to my question regarding what might be done to address the gap in reporting. I am in no position to financially sponsor anyone but certainly the FreeBSD Foundation is. Maybe someone from the board could weigh-in regarding the feasibility of funding this critical function? According to more than $3M is available, a small portion of which, if applied on an ongoing basis, would bring FreeBSD up to the 3rd party application security standards of its competitors (Android aside) and make the OS infinitely easier for us to advocate, admin and develop for. On that note, does anyone on this list have experience applying for FreeBSD Foundation grants? If so please contact me off-list. OTOH it may also be a matter of team size and/or policies that would be more effective in the short term. Would be great if other sec team and or board members could comment (ideally without shooting the messenger). > I do not think the others need to step in for this one, your constant > negative attitude towards our ports-secteam people is getting annoying and > a waste of our precious time. So either start sending patches, contribute, > or understand that this is voluntarily and that their priorities might not > be your priority. I don't know Remko. It seems like too far-reaching of an issue to ignore. Most of us don't see it as negative or positive but simply a means of keeping end-users safe and making everyone's contribution to the project more effective. Roger Marquis From owner-freebsd-security@freebsd.org Sun Dec 16 18:48:48 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A8211336FAC; Sun, 16 Dec 2018 18:48:48 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5420E92845; Sun, 16 Dec 2018 18:48:47 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mail2.jr-hosting.nl (nakur.elvandar.org [95.216.49.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 18CC54707B0; Sun, 16 Dec 2018 19:48:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elvandar.org; s=dkim; t=1544986120; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PM3Pa90FJZdM+EgKJEyWrrHpnLXSWq57mX2CK5uWeGw=; b=eB8AKeb0kB9RYddL+xzLNOVPGRnr/fTlMC2Ivn+T+cf8xHvIdoYZkssHo9u9HXuQROahk+ gqRr8huMVouNwZSrs3qA8diIFxMZT+ErlW+rTEV/KRzJb/tKFzhVxpFiWawUh/qIh7Pewq jnIiQxKoH+KHapeByqWKbhs+oCPozPo= Received: from [10.0.2.7] (095-096-154-040.static.chello.nl [95.96.154.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.jr-hosting.org (Postfix) with ESMTPSA id 9376487C12; Sun, 16 Dec 2018 19:48:39 +0100 (CET) From: Remko Lodder Message-Id: <473172DA-7F1E-42EB-8E0B-53122E13E84E@elvandar.org> Content-Type: multipart/signed; boundary="Apple-Mail=_076457B1-04D4-45E9-929B-A3627A071F1A"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: SQLite vulnerability Date: Sun, 16 Dec 2018 19:48:38 +0100 In-Reply-To: Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" To: Roger Marquis References: X-Mailer: Apple Mail (2.3445.102.3) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=elvandar.org; s=dkim; t=1544986124; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PM3Pa90FJZdM+EgKJEyWrrHpnLXSWq57mX2CK5uWeGw=; b=u94A07iaYAgmBTexNwgvAO94uDx7ZvFPu7MTqNJnTiuB7Yu/n8o1ZvCj8e/yRAuNfczJ03 gAHiLL6N/Nu3xmLiSP9/NWOqwOkzbnnBH8S7Z6WcJtdzq2Bawy03gu5MbySfTt6zBJoQKN eIDM9J0ljx/4ouuuahZ6hWSEE4lb7kU= ARC-Seal: i=1; s=dkim; d=elvandar.org; t=1544986124; a=rsa-sha256; cv=none; b=W7ekiyxrvwAgdrHuEtZYWMN38ig21wOwau6Mllm/YfhvHIVaRK87bYh7P4N4p2xIPRwgL7 a3SKbI+MQ2H7QOkSrJgRfof/+0Wbk5PmV8fSpJpO86lRlfdQYaXOiibzuxMoOmLwnwP43R 2MkofYAc+xoYTKvLTpwek9Wqi6FXZuM= ARC-Authentication-Results: i=1; smtp-out.elvandar.org X-Rspamd-Queue-Id: 5420E92845 X-Spamd-Bar: ---------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=elvandar.org header.s=dkim header.b=eB8AKeb0; dmarc=pass (policy=none) header.from=elvandar.org; spf=pass (mx1.freebsd.org: domain of remko@elvandar.org designates 2a01:7c8:aaba:ae::2 as permitted sender) smtp.mailfrom=remko@elvandar.org X-Spamd-Result: default: False [-10.30 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:7c8:aaba:ae::2]; MV_CASE(0.50)[]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[elvandar.org:+]; DMARC_POLICY_ALLOW(-0.50)[elvandar.org,none]; MX_GOOD(-0.01)[mx1.elvandar.org,mx2.elvandar.org]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.92)[-0.917,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; IP_SCORE(-2.67)[ip: (-9.91), ipnet: 2a01:7c8::/32(-2.19), asn: 20857(-1.28), country: NL(0.01)]; ASN(0.00)[asn:20857, ipnet:2a01:7c8::/32, country:NL]; ARC_ALLOW(-1.00)[i=1]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.a.0.0.a.b.a.a.8.c.7.0.1.0.a.2.list.dnswl.org : 127.0.5.1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[elvandar.org:s=dkim]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DWL_DNSWL_LOW(-1.00)[elvandar.org.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Mailman-Approved-At: Mon, 17 Dec 2018 02:44:53 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2018 18:48:48 -0000 --Apple-Mail=_076457B1-04D4-45E9-929B-A3627A071F1A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, It=E2=80=99s sad to see that you are still as negative as you where not = that long ago. I said before that If you rely on the information being up to date, you = should sponsor the FF or pay someone to do the work for you. You keep = forgetting that we (security-officer@ and ports-secteam@) are volunteers and that we do this in our free spare time. You cannot demand that we do things = that you expect us to do without knowing how people lives are going at that = same moment. If they have to choose between your whining and their kids or family, I would also choose the family. I do not think the others need to step in for this one, your constant = negative attitude towards our ports-secteam people is getting annoying and a = waste of our precious time. So either start sending patches, contribute, or = understand that this is voluntarily and that their priorities might not be your = priority. Thank you, once and for all, Remko. > On 16 Dec 2018, at 17:13, Roger Marquis wrote: >=20 > Thanks to Chrome{,ium} a recently discovered SQLite exploit has been = all > over the news for a week now. It is patched on all Linux platforms = but > has not yet shown up in FreeBSD's vulxml database. Does this mean: >=20 > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or >=20 > B) the ports-secteam is not able to properly maintain the = vulnerability > database? >=20 > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long = and, > more importantly, what might be done to address the gap in reporting? >=20 > Roger Marquis --Apple-Mail=_076457B1-04D4-45E9-929B-A3627A071F1A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUZm6tSR1fPPy/V/fqMPbslnzjLAFAlwWngYACgkQqMPbslnz jLBJBA/8DsGQs3vTO/MxTJI+xbSH1oFcoRYbX+C7K6vW5f5KDy5c/UTtVHbY48hy OBe+nk1KBFLa/DKVUuQOsOq9v48sF7Hz8/bUQo60ezp1aZAPqbETZKNOjSv9OV4i ZFjclVwp9YcIv4B3LsahbV7io11PPS59/s6aty+Nw+C3B6Cos0zZQ+SAqpEF79ls MfvrPFbiVI9T62JhJPiPIbTR+O9kSeimauf9F4vcAqgZRzxKLNHQZ3Vru1WDHhbZ bSVwBWqdi2PQFCmdxQ+mXX7X12zXEPWjg06PUe0n7MP1YVhlv+YgYoxt+fGT6i9j tlfmv7PbtQ6QgdiZlsm21v8OCeR9xo3EjPRmj35nGIjdc6Es9aMqLxjhi1vpADF8 ynp6ersQd0dM5UNHDmyCCSeGfDFbPjl6NMRza6OYvE/QhhQwZWaGWE5XjxmTQOFU 833J049XfU18UmLze7dP5A24BDKdJ8GQbAU9uoXn9ZRQQSr4Wq2osfp6xExDeYJV dy9iuhgNN4OhaZW2J42z3HSM2E6VurogU1Knc3Mxw0KKl5zKmeVQSjHaAkhFTBkO dqEe3y8u7n0nuRtVmSMJr+FSyL6Qipn4jtQvrMz4hJk7WdTz96MZdvvOs4vmkp3O 8VT8ZLZ9EjHH/QdX9qqdkefzThMRJmwXHQE7DOMPTKNyUAXbzYo= =EYpB -----END PGP SIGNATURE----- --Apple-Mail=_076457B1-04D4-45E9-929B-A3627A071F1A-- From owner-freebsd-security@freebsd.org Mon Dec 17 08:00:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C26A1334228 for ; Mon, 17 Dec 2018 08:00:09 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BF7288682 for ; Mon, 17 Dec 2018 08:00:08 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x229.google.com with SMTP id n18-v6so10090980lji.7 for ; Mon, 17 Dec 2018 00:00:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0eTjTfUwlKGDrFwnOfhXj/duF3+2x72kS8MM8l/dmtg=; b=uJy55mZdMXeCFNDj/HRMoxEus8TwudhZO65MrtUaR9f9lDGQoLLe8xPTKicrfe+7TS 1jhuDOp+ljWLr2krqqJZ5Y019GyXetLAemyLAwsy1Bk7he9F2283q7ASVCDMeVGvcHaz 3ZapWpcP6TEgzuZSh8pnY9l2SxZ1Afx4SdnYwJJk20cRWABiAPJ1n/+L2CCB+wmmPt82 UpuqFNKY0q6Og6WibCpMMl8Mo/jh9o2Bq44zdEu4DzVGVAdkiEnte8x9K1pHRIF7jtRh joZgM2txoHNJFkqZJycYyWnB5B0MTkrfo+9yXdrpQrNSwuQ68Smgs6SiS6stYBvJBkcE gCNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0eTjTfUwlKGDrFwnOfhXj/duF3+2x72kS8MM8l/dmtg=; b=PBR9u7GjVj2ldvLPIrUNTVdsZKiSilBMPpNF8jKTyi9L+y/Uxj+SHhTXVBBy//3t54 Vbguzl+icm1VZWQKkWMGoI1LMjvBJwx5Q/1D9CdUsyYLr5SAGP5IWMjA6fC645oywWde RV578SFtsIPTecHav7qkrsVxJMd5xsLEDKz8WurESfSUPf0sWRkievWtCKn+W7Ad4L9X 7aKcgF44RkPy2crzY0PYhMrqTNdruuaxN6J1DzOdIB8/7oMT0302BoXad1TmrRKerntK 7gptmcxRLQ+rKojlkCGrsu5hrgRZhSNrttNQR4TqirAYuFzy+j4O0ydbQU5I2l7BGFI5 4HcQ== X-Gm-Message-State: AA+aEWZMxovjsFPJYA+82BB/kpSodOKDBASo2VGY6Km99p4jVrqIu8Ch WXu5vOtNTzZkm5P0otoQb3cMJvXrieue/lD6HB7PI1/l X-Google-Smtp-Source: AFSGD/WguysuTCNNBQDlOfXc11Fr0pdZUxNF0TLK0wm2pjENWMAVa4gaP5udRBXyuffDpplljiOL0zMz97SI06uStrI= X-Received: by 2002:a2e:83d7:: with SMTP id s23-v6mr7751233ljh.139.1545033605039; Mon, 17 Dec 2018 00:00:05 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Robert Simmons Date: Mon, 17 Dec 2018 02:59:52 -0500 Message-ID: Subject: Re: SQLite vulnerability To: Roger Marquis Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 7BF7288682 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:00:09 -0000 You're being a jerk. This is a volunteer project. It owes you nothing. On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Mon Dec 17 08:10:42 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 634621334766 for ; Mon, 17 Dec 2018 08:10:42 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d7::103:2]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A19488C1B for ; Mon, 17 Dec 2018 08:10:40 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (dslb-090-186-131-085.090.186.pools.vodafone-ip.de [90.186.131.85]) by host64.shmhost.net (Postfix) with ESMTPSA id 43JDNv2hs0zC797; Mon, 17 Dec 2018 09:10:39 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: SQLite vulnerability From: Franco Fichtner In-Reply-To: Date: Mon, 17 Dec 2018 09:10:38 +0100 Cc: Roger Marquis , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <76A9843B-151A-4EB4-9A11-BA572F44ECD6@lastsummer.de> References: To: Robert Simmons X-Mailer: Apple Mail (2.3445.102.3) X-Virus-Scanned: clamav-milter 0.100.2 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4A19488C1B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.58 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; IP_SCORE(-1.15)[ipnet: 2a01:4f8::/29(-3.27), asn: 24940(-2.46), country: DE(-0.01)]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; AUTH_NA(1.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.995,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[lastsummer.de]; NEURAL_HAM_SHORT(-0.83)[-0.829,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[85.131.186.90.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:10:42 -0000 > On 17. Dec 2018, at 8:59 AM, Robert Simmons = wrote: >=20 > You're being a jerk. This knee-jerk reaction defence is getting old. If you guys don't want to address it just leave it be or say "I'm not = interested in doing x-y-z", even if it means "not interested in security" or "not = interested in working on it". It's perfectly fine to admit it. And nobody will = call you a "jerk" for saying it if the established social project rules are of good = quality. Cheers, Franco From owner-freebsd-security@freebsd.org Mon Dec 17 08:31:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6EFF133500F for ; Mon, 17 Dec 2018 08:31:36 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 55E398991C for ; Mon, 17 Dec 2018 08:31:36 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x234.google.com with SMTP id x85-v6so10193805ljb.2 for ; Mon, 17 Dec 2018 00:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6RPE45nUz3smZq67V7Rlo1/DxlacLBrcE8zm43zeVSI=; b=vQyrnmN4ZrP3mATAafrPB8pWaRTOb2ryrYeYoVzR/qIcEg6np2Bjdx2r60aJTPwxvQ KomzkSWgEvLJ90S+DHtcO4ldQxJoD2Rh00alnBY8zVqC5W07fvc3t2hZ1GaAu8gDCcOS E23NFn2tr2XMXrMe5i+YNKIDQmU4/pQCDnEG4Lj33nK8p1G0wh5zXuW2aah4/57j0Gon uUJ9Xq0MR4cUdcbxGiaElUbVTIPPAUW4FSspmR5t1ydcSfkqdJIMud6zJreVfu0kJMut 7Y1zQOSOoQqSGMOatkNH3SgyfmpI5RDL1txG9ge4++mUpQW/1VKekiPDf4vmJkDcDk0O SoJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6RPE45nUz3smZq67V7Rlo1/DxlacLBrcE8zm43zeVSI=; b=TrUHaW6G6oijhb96pxBYRRSjoNmCjUXMCj1wOUDiQLoH4IEwdYZUadmk1R3OeTPlzu uCWEWPUKq8hhAOrtgyC8Dfqi4c7cFJ3cJWHoL2FlOjg/hyaYPXuj9uj3L1uPBC5/G43Z 9lPSSn9iDu7UeBdtSmwlqSGcQlKtKekSBUHHZq4ct1H35ezMz86E7T5W6ZfL/IoD8TOq cU6EHGcTKJkcl1vE1LCn1gfjRSWNBB/ISStyl2m5vg8rvvk0SqZqJn0CwvkhBcI/kK8m 6Vm6Jvzp1JtKIz79vMGml/sGNf3c60fNvDTgFjvo94u46LYNOwGNr/ZvsFCJmd+DfWLG 6t9A== X-Gm-Message-State: AA+aEWb5FyoUvrvep8cE4etGJTBCNVJ24eRaQESDMk/iqsOJukl1lf3A n7QvQWhQPWh1MMdEjrh4kWFlWGvf3TQbiRPtlr5J15KY X-Google-Smtp-Source: AFSGD/WbZTwYNbiUaD22nZut4swBpWgjqsdDyQqABR3rm36HE+WNAwQXMfkZxh1rHl0DplGlqf94ulokMH2XhirtsNc= X-Received: by 2002:a2e:83d7:: with SMTP id s23-v6mr7826430ljh.139.1545035494506; Mon, 17 Dec 2018 00:31:34 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Robert Simmons Date: Mon, 17 Dec 2018 03:31:22 -0500 Message-ID: Subject: Re: SQLite vulnerability To: Roger Marquis Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 55E398991C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.987,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:31:37 -0000 https://mikemcquaid.com/2018/03/19/open-source-maintainers-owe-you-nothing/ On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Mon Dec 17 08:37:16 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C9F2133552D for ; Mon, 17 Dec 2018 08:37:16 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1207F89C9D for ; Mon, 17 Dec 2018 08:37:16 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x232.google.com with SMTP id 83-v6so10169315ljf.10 for ; Mon, 17 Dec 2018 00:37:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5eGbKppkH7W6EwDSvA4fr0dqbbIKTLXCaolA2D+VMIo=; b=cpSkJjl8ZiMiBt89q0RvdRFmfLbtJvep+Y34qCLRUBXUtgVV9nYRkOLc2GjD7CpkMY PAZieakGdse5+Sv1usmUxS4shMGUh93Dk5mgVzGlQEno11declwVWdxvRNkiDIKH/EoR 7vpiT5eldEjaiSxxKzf0XxPqnsiF+eKc4YStYmu5yudgxkza4FNhvLrRrKZZppjDrv5O 2c35jL16MXiaqhcrGwTvsju/U1l4UWdgL/cBxw9HxSMMVI+k8B/ToAh/3dnfnn4iKVlx v/a8u32kClYk4zlDcSe9b+ErqXIzfcEVDrsCFMq7kD3jb/yV0f/jpO93DcWmqVnh5l+v GQUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5eGbKppkH7W6EwDSvA4fr0dqbbIKTLXCaolA2D+VMIo=; b=K6LKjB8X22YcWAPwYtFkXDuzqZlyTO49tq1B8JF/28sJPTUli8bP9YkpjEFe04BoZh ui98GRKTRbMEkT+JnZgREisJmq6aWh7Hl8LJmLGO0atwrkcH44xxc8GdvR64l+h2xDL8 5BOxunXFIL5vBNyOrY9u65zmlaDwjEgCaeZk29OHcB/W8VFjVlBRmE1ToPNVMV3ErVub erwpILkhVfmocLohJtTAxMRCAT+/Tg405SAF1UFfn/7ijVXXKu6TAx+uDJJ7eDgWGIFi UOrqty7YsID4trkfPheT0rWKBmHsb3yQhTcxIclxVgVkubJH85BZ6iTCBSpLyCi39tVS BFFg== X-Gm-Message-State: AA+aEWZ3jPT4BplWM3UZ+CxUlMKKbHqgB+qVX/AbgZUfTPu7mBzfxayv 6aZXQamMUv93edqo8+2AtLBC47mQ4BhHlsOXpO0= X-Google-Smtp-Source: AFSGD/VdrmVG9kKgeOvGPQGnBG+fdtnAkfep/06ZtgEbuD70Y1/nfZ/WciKEZUGW5XIjqZnjxQ/YStexM9Rk29qcW4U= X-Received: by 2002:a2e:95c6:: with SMTP id y6-v6mr6754586ljh.59.1545035834536; Mon, 17 Dec 2018 00:37:14 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Robert Simmons Date: Mon, 17 Dec 2018 03:37:02 -0500 Message-ID: Subject: Re: SQLite vulnerability To: Roger Marquis Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 1207F89C9D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.987,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:37:16 -0000 Since you may not read that essay on open source software, here is the salient point for you: - For users: remember when filing an issue, opening a pull request or making a comment on a project to be grateful that people spend their fre= e time to build software you get to use for free. Keep your frustrations a= nd non-actionable negativity to yourself (or at least offline and out of earshot). Don=E2=80=99t expect anyone to fix your issues or help you if = you=E2=80=99re unwilling to dedicate more time to helping yourself than you ask of othe= rs. This means reading all the documentation and trying to resolve your own issues before ever asking for any help. On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > From owner-freebsd-security@freebsd.org Mon Dec 17 08:44:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9ACA21335A12; Mon, 17 Dec 2018 08:44:43 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DC6F38A24E; Mon, 17 Dec 2018 08:44:42 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 9CA053C475F; Mon, 17 Dec 2018 08:44:35 +0000 (UTC) Date: Mon, 17 Dec 2018 08:44:35 +0000 From: Brooks Davis To: Roger Marquis Cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: SQLite vulnerability Message-ID: <20181217084435.GC4757@spindle.one-eyed-alien.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: DC6F38A24E X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.975,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:44:43 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: > Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: >=20 > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or >=20 > B) the ports-secteam is not able to properly maintain the vulnerability > database? >=20 > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? Almost certainly: C) This vunerability was reported in a random blog post on a Sunday without any details so people haven't caught up with it yet. -- Brooks --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcF2HzAAoJEKzQXbSebgfAvfAIAKFQRE9A2G3nfwVqRjz0ZwzI cDOXIfm1355TZEBS8lnwoyDpfo30yLHijYqvuAmyEtm+31TLZUCu0gRVxSnNrYgO xBoMq8p2RUKtMkXporbzPw9/zKA7nmQDmgEzDRgn7O7le0LuwV7aKhMAAitfS30E w+qMAW9wcMaqc9NaEy+q8c6H/fDwwYKLTKiypWXEaUasX09Ia67gNCDQ72XJ1KT/ Z/kC8iiRPzrFdpjf/yfmX/fCZb2ZJe9+BvNoucVBEkDX5eE3Q+ukf8S7BZsJr5B8 Gpydniiyxo53LQw1P3k5HVFa6qrEkS4Q2q1j4WmN7f9pLnwnnYYkBI4AnM2GMh0= =Ybhx -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- From owner-freebsd-security@freebsd.org Mon Dec 17 08:57:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01E4A13361F4; Mon, 17 Dec 2018 08:57:09 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F05A8A8FE; Mon, 17 Dec 2018 08:57:08 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x436.google.com with SMTP id q1so6039322pfi.5; Mon, 17 Dec 2018 00:57:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bwd8Sd780I0IB6GoGTj1RPOHF+m/D95vy1REdHq/d54=; b=qx7+NV0nT0+cw+coUWKUqi3iTsA1j989jgOFE/r0A31xnkGlBHDFsTqEajGPRt/emY 3aKHT9XDgxoXWf+B7R3oYzSPACa2ZHr8ycvlPmQQ3yC7BLH4ksyLFl0MWOtcFpbmHU8a RVgmp1Kh/ymvxZJWP2I1Jxt5tDo1w69jZC7dSSIoN60hJLHhLQ16rmIKZcKUQ4jUwAy2 mNzs4xcD9gJ7BHvSwNO14RvFp1z+uFeMA8z9Tz3xvca43WP7C1wIzfMs8o2bUnyUOL62 9ExEuqlmOCXZgiL4k7qI2MKOd0dvARIrF+gg5uipsDpPVYKB6RGdvy3q3fAT75fdEMFx eUDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:cc:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=bwd8Sd780I0IB6GoGTj1RPOHF+m/D95vy1REdHq/d54=; b=TExo1fwJHrh4jC1msvppwQdf2MPrI5XCkHA4xSXlauJTMa3fLvMeP9cjKVy4uoDPec p1sQNDtRuwNTj7TJf7TBmdBAYMYwLHDQhJbxeL/0ieiVs81fDStcswOVfj6AV2NhLChj SmXA/s0geFlOhYXNAxORUO5Cw3u9rQnM8FrdEWEo7luHF63dQ4dHvUMOeB2WudKK0M51 li3Ow+yLg3gi3u7GwYeF0ufUjP5nStqt5oOtzxE+Aw79q8lK2fd7CxhmzGJKl9ZCwneZ 7ZZueN3UzyW9tp30vAIe8KLxWXmyoif0BS1+MD8DcHswqxZFf6BvPqiLwZqrUNsKSQNA fKvw== X-Gm-Message-State: AA+aEWZQsmC9Ly7EVGhSNJ/B5zMrd7W846DErvNL6dOjucYRKItZEID5 aQCOnuQIXMSVBTWCKbmFntIVj05t X-Google-Smtp-Source: AFSGD/U0mItdrEylucwIBVg7t+Qsb7ZPLuT6tUImHweHiR98tRCoxQWTrL1OQUTBh3WiyfJwrBsOaQ== X-Received: by 2002:a63:f844:: with SMTP id v4mr8166523pgj.82.1545037027249; Mon, 17 Dec 2018 00:57:07 -0800 (PST) Received: from [192.168.1.105] (119-18-15-55.cust.aussiebb.net. [119.18.15.55]) by smtp.gmail.com with ESMTPSA id r83sm19958113pfc.115.2018.12.17.00.57.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Dec 2018 00:57:06 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: SQLite vulnerability To: Brooks Davis , Roger Marquis Cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org References: <20181217084435.GC4757@spindle.one-eyed-alien.net> From: Kubilay Kocak Message-ID: <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org> Date: Mon, 17 Dec 2018 19:57:01 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Thunderbird/64.0 MIME-Version: 1.0 In-Reply-To: <20181217084435.GC4757@spindle.one-eyed-alien.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 6F05A8A8FE X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; TAGGED_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:57:09 -0000 On 17/12/2018 7:44 pm, Brooks Davis wrote: > On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: >> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all >> over the news for a week now. It is patched on all Linux platforms but >> has not yet shown up in FreeBSD's vulxml database. Does this mean: >> >> A) FreeBSD versions prior to 3.26.0 are not vulnerable, or >> >> B) the ports-secteam is not able to properly maintain the vulnerability >> database? >> >> If the latter perhaps someone from the security team could let us know >> how such a significant vulnerability could go unflagged for so long and, >> more importantly, what might be done to address the gap in reporting? > > Almost certainly: > > C) This vunerability was reported in a random blog post on a Sunday > without any details so people haven't caught up with it yet. > > -- Brooks > Pretty close :) Original source/announcement: https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed [December 14th, 2018] I've already re-opened Issue #233712 [1], which was our databases/sqlite3 port update to 3.26.0 and requested a merge to quarterly. Chromium's fixes are in 71.0.3578.80 [2], there is an existing www/chromium Bugzilla issue to update to 73.0.3640.0 [3], which has been tracked as a security update and for MFH. Any ports/packages that embed/bundle their own sqlite3 library will also need updating. [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233712 [2] https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233990 [4] https://news.ycombinator.com/item?id=18685296 From owner-freebsd-security@freebsd.org Mon Dec 17 12:09:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4965A133CFE0 for ; Mon, 17 Dec 2018 12:09:52 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail.anongoth.pl (mail.anongoth.pl [46.248.190.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.anongoth.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2945B6AD42 for ; Mon, 17 Dec 2018 12:09:49 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from anongoth.pl (unknown [10.8.0.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pkubaj", Issuer "anongoth.pl" (not verified)) (Authenticated sender: pkubaj@anongoth.pl) by mail.anongoth.pl (Postfix) with ESMTPSA id B28B3302F1 for ; Mon, 17 Dec 2018 13:09:37 +0100 (CET) Date: Mon, 17 Dec 2018 13:09:37 +0100 From: Piotr Kubaj To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability Message-ID: <20181217120937.GC78044@smtp.iq.pl> Mail-Followup-To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="XMCwj5IQnwKtuyBG" Content-Disposition: inline User-Agent: Mutt/1.11.1 (2018-12-01) X-Rspamd-Queue-Id: 2945B6AD42 X-Spamd-Bar: / X-Spamd-Result: default: False [0.73 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:46.248.190.61]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[anongoth.pl:+]; DMARC_POLICY_ALLOW(-0.50)[anongoth.pl,reject]; MX_GOOD(-0.01)[mail.anongoth.pl]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.83)[-0.829,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; IP_SCORE(-0.33)[asn: 47544(-1.69), country: PL(0.03)]; ASN(0.00)[asn:47544, ipnet:46.248.160.0/19, country:PL]; ARC_NA(0.00)[]; FAKE_REPLY(1.00)[]; R_DKIM_ALLOW(-0.20)[anongoth.pl:s=ANONGOTH]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FAKE_REPLY_C(6.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 12:09:52 -0000 --XMCwj5IQnwKtuyBG Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Doesn't base also need to be patched? AFAIK pkg uses sqlite database. --=20 _________________________________________=20 / Drew's Law of Highway Biology: \ | | | The first bug to hit a clean windshield | | | \ lands directly in front of your eyes. / -----------------------------------------=20 \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || --XMCwj5IQnwKtuyBG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJkBAABCgBOFiEEycyIeNkkgohzsoorelmbhSCDnJ0FAlwXkgEwFIAAAAAAFQAS cGthLWFkZHJlc3NAZ251cGcub3JncGt1YmFqQGFub25nb3RoLnBsAAoJEHpZm4Ug g5ydbB4P/36+xxu/HR10EwC8hvKLl/Ivy/U3wLpCbVNSfOtYpQMJcGS7jYFXhHev 5wo8aZUZeXYf8pe8K/iJieBtYG+xmAbKbmcpgxMMOt1Ur8gXXOkrz0MativSdvEj t8wIfkUd6fIY16xy7dZSKhK5uIa+RMZo7lmrzg21wdFPXdIbj9k9glPNTAJF34PK +5IyAoPV3z3Dxe+E9epEA4k8rhE09zYD2yVJ+NfXihhcVOJ/eLIsYuKBUhaDoDOl D4sCHv1miLL8deFdo9+tGj4Xz69wqUZXCHt0a3aXWESijT2jgB1vyhY9bY+JeCkt RHqnHQe+R21pvg4NuyNsUE3OIgAwNlTxt4/no0C1tIJNr7lC2lUAIOkQ7nwMq9YO jUk7aMyXMT3deD8NoJMi0pMydjHZiT8hVB+Vv2D5T8XfMmT0YQEwDnfNqmJL1bjC FnHrd0h1VctOdX42R/m1+eFq7BoMHXyamnDcZmZP7AZfqqwsHgl1ZWxtZPf8Uha1 DGVvC9sMvONNEGRjGGH4IIrlRuKGfK7lqac6Oj09gc+U9arBLdru8xa0z08SYriH ecfKxnszAp8biJDV2NY5lScWVGkKXnDxgV7le3yl996NUYULwvb9ftTjud7mPdNA EbHXvZONUh9zs0WyiN8c2rumXhCYWsSpmxjO/wN6ERYXzIHM97ZL =RmWj -----END PGP SIGNATURE----- --XMCwj5IQnwKtuyBG-- From owner-freebsd-security@freebsd.org Mon Dec 17 14:17:46 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D35201340FCA for ; Mon, 17 Dec 2018 14:17:45 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C688E6F81B for ; Mon, 17 Dec 2018 14:17:44 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x229.google.com with SMTP id n18-v6so11098051lji.7 for ; Mon, 17 Dec 2018 06:17:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=9ZH6hjv0FYCF/lhbRvorbjPRkVx4ikJTNrsBSSCzq1o=; b=RBswi+dEQFNzAe1+Y4rVoTTHgMSYPk+LpojlF4kBDuR7B9RYKtOEssiM/LIBALb/Zl e0D8XeWBzZ7ZY/bU7E/aPfgoXRaYr8Bu66vI6VXv2cwgtrC24zDGqtPS7IBbLDg1mWKY NDSuSnR3jwJ2XGX7vszLDBYAPNmTRbnbxylxBee2YeTgnZKqFg3vUGmI4hWa68tYUQPD u0B5J2oNrHHg2HuoQnAPXawTzZOK/NFERIaPUw0Guf56/n2M00VKQpMUtsEon6GYk2SG SjJgDID5GzSxVv1/Wbs2JOBxc+Rp2EKanEi4yrFYgyiLIAhREj2MlBrA6Xk7+j84RoAf GzFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9ZH6hjv0FYCF/lhbRvorbjPRkVx4ikJTNrsBSSCzq1o=; b=KbmxH4ZHgSOHLTxgWZmp8GkEv0ytB68RhnDkYX0fZFy3QEUsq656HI/wZ+VrYOKREF bPqhWxnCV4B80Fp12nwoSP5VTri1x1gwoMmj37fBnk1214t/zKkvkxwqk1QfcJslSAzE l3aH6tPfWO/ObLDa9FQ02MR8Et3uGJ5q7onZcEpqZcgwJ84gyvG6YACS+Z8SmXwHG4ns C8Xcc8e2r0S0B0x5TQKpI6xXxRgM8s+riTYJPn2IJl+NgPUwv/PN625QScFJrCY0RbTx avGOs0NYBd8niz01r6R0twETRmcsAQw93GlcmK8hviE4fV2hclLKOqdWm3+1e4byOhWA zHVQ== X-Gm-Message-State: AA+aEWafa/C9/KOhyy9R6jt9WJksUP5PDFbOx2ikgZfdx8dHeAseockQ i48NSWXBf9jEiSfAPuS4lxnDyJr2KzJc1QetabPu4NiE X-Google-Smtp-Source: AFSGD/WtF/TL3Uq52j95LneA4GWoK65wa9NMgd0cC4vRiuGY7ciDSxwdMn8qp/dHSx5c5frb5EHQgo3PvPCczwWUwjQ= X-Received: by 2002:a2e:4442:: with SMTP id r63-v6mr7669692lja.79.1545056262662; Mon, 17 Dec 2018 06:17:42 -0800 (PST) MIME-Version: 1.0 References: <20181217120937.GC78044@smtp.iq.pl> In-Reply-To: <20181217120937.GC78044@smtp.iq.pl> From: Robert Simmons Date: Mon, 17 Dec 2018 09:17:29 -0500 Message-ID: Subject: Re: SQLite vulnerability To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: C688E6F81B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=RBswi+dE; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rsimmons0@gmail.com designates 2a00:1450:4864:20::229 as permitted sender) smtp.mailfrom=rsimmons0@gmail.com X-Spamd-Result: default: False [-6.44 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[9.2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.44)[ip: (-9.21), ipnet: 2a00:1450::/32(-1.56), asn: 15169(-1.35), country: US(-0.08)]; NEURAL_HAM_SHORT(-0.99)[-0.987,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 14:17:46 -0000 Yes, pkg uses sqlite. It uses the amalgamation here: https://github.com/freebsd/pkg/tree/master/external/sqlite On Mon, Dec 17, 2018, 07:11 Piotr Kubaj via freebsd-security < freebsd-security@freebsd.org wrote: > Doesn't base also need to be patched? > > AFAIK pkg uses sqlite database. > > -- > _________________________________________ > / Drew's Law of Highway Biology: \ > | | > | The first bug to hit a clean windshield | > | | > \ lands directly in front of your eyes. / > ----------------------------------------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > From owner-freebsd-security@freebsd.org Mon Dec 17 14:19:33 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44AD31341080 for ; Mon, 17 Dec 2018 14:19:33 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pm4.ctc.com", Issuer "RapidSSL SHA256 CA - G3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B94076F90A for ; Mon, 17 Dec 2018 14:19:31 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pps.filterd (pm4.ctc.com [127.0.0.1]) by pm4.ctc.com (8.16.0.27/8.16.0.27) with SMTP id wBHEB01M019648 for ; Mon, 17 Dec 2018 09:14:33 -0500 Received: from server3a.ctc.com ([10.160.17.12]) by pm4.ctc.com with ESMTP id 2pcuqsb7y6-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Mon, 17 Dec 2018 09:14:32 -0500 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id wBHEEXoC032145 for ; Mon, 17 Dec 2018 09:14:33 -0500 Received: (from cameron@localhost) by linux116.ctc.com (8.14.4/8.14.4/Submit) id wBHEEWUA030492 for freebsd-security@freebsd.org; Mon, 17 Dec 2018 09:14:32 -0500 Date: Mon, 17 Dec 2018 09:14:32 -0500 From: "Cameron, Frank J" To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability Message-ID: <20181217141432.GJ10650@linux116.ctc.com> References: <20181217120937.GC78044@smtp.iq.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181217120937.GC78044@smtp.iq.pl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Rspamd-Queue-Id: B94076F90A X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of cameron@ctc.com designates 147.160.99.24 as permitted sender) smtp.mailfrom=cameron@ctc.com X-Spamd-Result: default: False [-1.44 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.46)[-0.459,0]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.18)[-0.181,0]; DMARC_NA(0.00)[ctc.com]; MX_GOOD(-0.01)[pm4.ctc.com,pm5.ctc.com]; NEURAL_HAM_SHORT(-0.48)[-0.478,0]; RCVD_IN_DNSWL_NONE(0.00)[24.99.160.147.list.dnswl.org : 127.0.10.0]; IP_SCORE(-0.02)[country: US(-0.08)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7816, ipnet:147.160.0.0/16, country:US]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 14:19:33 -0000 On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security wrote: > Doesn't base also need to be patched? > AFAIK pkg uses sqlite database. Does pkg allow running arbitrary untrusted SQL? 'The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an "SQL Injection" vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome.' https://news.ycombinator.com/item?id=18686462 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a defense-in-depth, designed to head off future vulnerabilities by making shadow-tables read-only to ordinary SQL, along with some other restrictions. If you have an application that allows potential attackers to run arbitrary SQL, then the use of SQLITE_DBCONFIG_DEFENSIVE is recommended. It is not required. ... But that setting reduces the attack surface, making future bugs less likely.' https://news.ycombinator.com/item?id=18686572 ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ----------------------------------------------------------------- From owner-freebsd-security@freebsd.org Mon Dec 17 15:26:56 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9A071342FC7 for ; Mon, 17 Dec 2018 15:26:56 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 07CE872B34 for ; Mon, 17 Dec 2018 15:26:55 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 6DD788514D for ; Mon, 17 Dec 2018 07:26:54 -0800 (PST) Date: Mon, 17 Dec 2018 07:26:54 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 07CE872B34 X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.61 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.87)[0.871,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.92)[0.916,0]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[cached: mx4.roble.com]; NEURAL_SPAM_LONG(0.95)[0.950,0]; DMARC_NA(0.00)[roble.com]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.02)[country: US(-0.08)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 15:26:56 -0000 Robert Simmons acerbically replied: > Since you may not read that essay on open source software, here is the > salient point for you: > - For users: remember when filing an issue, opening a pull request or > making a comment on a project to be grateful that people spend their free > time to build software you get to use for free. Keep your frustrations and The problem with Robert Simmons' line of reasoning: a) keeping vulxml up to date is a fixable problem, and b) ignoring the critical role of FreeBSD's security teams will only result in FreeBSD boxes being hacked and end-users migrating to Linux. Considering the lack of technical or logical arguments being made against, for example, larger security teams or security team funding (after all, we're only talking about timely entries in the vulnerability database) it would not be unreasonable to conclude that opposition viewpoints are simply Linux advocates. Roger Marquis From owner-freebsd-security@freebsd.org Mon Dec 17 16:06:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E48A11344879; Mon, 17 Dec 2018 16:06:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 72D1B75290; Mon, 17 Dec 2018 16:06:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 1F5D58551C; Mon, 17 Dec 2018 08:06:50 -0800 (PST) Date: Mon, 17 Dec 2018 08:06:50 -0800 (PST) From: Roger Marquis To: Kubilay Kocak cc: Brooks Davis , freebsd-security@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: SQLite vulnerability In-Reply-To: <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org> Message-ID: References: <20181217084435.GC4757@spindle.one-eyed-alien.net> <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 72D1B75290 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.85 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.85)[-0.850,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 16:06:52 -0000 On Mon, 17 Dec 2018, Kubilay Kocak wrote: > Pretty close :) > Original source/announcement: > https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed > [December 14th, 2018] Not original though Tenable may have based their announcement on: https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert/ [December 11th, 2014] > I've already re-opened Issue #233712 [1], which was our databases/sqlite3 > port update to 3.26.0 and requested a merge to quarterly. Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the sqlite3 port on December 4th. Roger Marquis From owner-freebsd-security@freebsd.org Mon Dec 17 17:19:00 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5243A134698E; Mon, 17 Dec 2018 17:19:00 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5620480D0F; Mon, 17 Dec 2018 17:18:59 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id YwXggPltnMRX3YwXig5p3W; Mon, 17 Dec 2018 10:18:58 -0700 X-Authority-Analysis: v=2.3 cv=TL87tGta c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=2ur7OfE09M0A:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=wVmefGLtAAAA:8 a=yJre3eBTAAAA:8 a=pGLkceISAAAA:8 a=BjBlOK8wB625C0-ajfIA:9 a=bBq-60wbaaV20tKy:21 a=HN4qILMFnCL5w_iU:21 a=CjuIK1q_8ugA:10 a=FP-_TeKPpj4Qk_-IHHMA:9 a=MOiVBN1lCZ9t41cr:21 a=L8g52OTpQezMEZIe:21 a=QK7VKF2J1EZXU-4U:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=va12ASerkyBhAHNX7CWR:22 a=TX9-bkPir6qYJkIX8xYn:22 Received: from [25.81.116.22] (S0106788a207e2972.gv.shawcable.net [70.66.154.233]) by spqr.komquats.com (Postfix) with ESMTPSA id 5181F49C6; Mon, 17 Dec 2018 09:18:56 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: SQLite vulnerability Date: Mon, 17 Dec 2018 09:18:57 -0800 To: Roger Marquis , Kubilay Kocak CC: "ports-secteam@FreeBSD.org" , "freebsd-security@freebsd.org" , Brooks Davis Message-Id: <20181217171856.5181F49C6@spqr.komquats.com> X-CMAE-Envelope: MS4wfABweMCc9MEiAEnXinYxf50AWM47Mv/U6FRG+Yls2pQXCDkc5XV6COLdY1AAv7qdHWZAXtR7L/8912Xa/akUFEi6b5/a4O+InMbNvszI2uRFjfLpGh7C fhrfv4qHbcqkXxU6YGOoXL8s3RZ6BJ0xsKr6s3qt52cf8OKHUshTydJ/V8LyL0PFJAMuOvlURCjG2VI2mdBwbdLbORBr+H/YUnH7YJy5oB65merH/KUhpDc9 al6EOtgN0SWF7GsGdb+aREjrszR0upcm20g6eM4uD4JrVR94GvPOPGzqq3S8gGT3DcieSM3Zy0YHyqkC0wP2/A== X-Rspamd-Queue-Id: 5620480D0F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-3.02 / 15.00]; ARC_NA(0.00)[]; FAKE_REPLY(1.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(-1.85)[ip: (-4.36), ipnet: 64.59.128.0/20(-2.68), asn: 6327(-2.14), country: CA(-0.09)]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: spqr.komquats.com]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; RCVD_IN_DNSWL_LOW(-0.10)[9.134.59.64.list.dnswl.org : 127.0.5.1]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.zen.spamhaus.org : 127.0.0.11] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 17:19:00 -0000 Base needs updating. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Roger Marquis Sent: 17/12/2018 08:09 To: Kubilay Kocak Cc: ports-secteam@FreeBSD.org; freebsd-security@freebsd.org; Brooks Davis Subject: Re: SQLite vulnerability On Mon, 17 Dec 2018, Kubilay Kocak wrote: > Pretty close :) > Original source/announcement: > https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability= -in-sqlite-disclosed=20 > [December 14th, 2018] Not original though Tenable may have based their announcement on: https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert= / [December 11th, 2014] > I've already re-opened Issue #233712 [1], which was our databases/sqlite3= =20 > port update to 3.26.0 and requested a merge to quarterly. Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the sqlit= e3 port on December 4th. Roger Marquis _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Mon Dec 17 17:44:54 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E914313471D1 for ; Mon, 17 Dec 2018 17:44:53 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0D1E81E45 for ; Mon, 17 Dec 2018 17:44:52 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x236.google.com with SMTP id v15-v6so11739382ljh.13 for ; Mon, 17 Dec 2018 09:44:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SOSlWlM1V/1DUHKYBPV00Qb2tZVUI0EjbfQ7rnWXjw0=; b=mrXZFo2K0QIDGcXlCJ66Ce31n2wtbit0w9v5jWmqH3Gkn02FwtuYpthNW+tldMANDG PEQnOpaaA1VUS7u/tJVax4TolgbPz29OKgzYufgjffB0k+Tm9bB5DpjOzHxvxO5KvjaM dNbHCx99jA/MlEO+IV583ANFdAyKEWzH+8cB0pi/ykMn/x731UuqbSMeZTJ/Sh/UO/9h cso2i8TDvhILSwc4bJxOgdaHp956EovSRPKBt+EL3YU3w9q6/Fc/b9AxyZZqJuWEQH7n vtuN6VBwyvqFcYW23xzLdA7LiWy1uM4nbt+m04GZEjzjgL494lxaiXuyvmeB7xMW40Cv HTFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SOSlWlM1V/1DUHKYBPV00Qb2tZVUI0EjbfQ7rnWXjw0=; b=YHVVKVn8ThqC1YDJY2nz3DGkxXwOAQ2kTfI/hbuIhu+mS2tP86ASLlWsZEeR7oApM7 m7u+9RSMdIz9pZel3HcpBgzaowWEv8fDayOsySqL/fv4f/QBk3dXQ0FGfv1Hl+qFjoxi tWoze0KuZTxyE7AQD7jjsc4ZYjF0QqstMVFOOkdRWHswT6sqAmQez3d+uiV6sI2bjsJe J39VxLU3MBbqG4i/Fgh/WAZdZXsEk1yyy4yjSWJCsZ8HBrPVhninejfKTuhZGOZnLFtS doXKeMB4hthzd3aKkYxmvI95qfqt+kxFEcASp83V7nTpIkFc5ME5baWtcg4VwE5RUNVP 7Q8g== X-Gm-Message-State: AA+aEWYqVmBRZ3SlJSXtJcihLT0t1niE+7luGPkcJyxEeVngvTUhax1j bW4RiQvPBQD7EM6GqFF+C3hAZORsJvbf9Uq7clkzbpeb X-Google-Smtp-Source: AFSGD/UbsLMJzyoU8g5KyK4oHX2y0wsPgj8TvY+61bPapwzkcC8NsENN9pUVJvLcSkfRMih+xJ2jkGNnp7L6sZpTHgE= X-Received: by 2002:a2e:20c3:: with SMTP id g64-v6mr8876618lji.101.1545068691048; Mon, 17 Dec 2018 09:44:51 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Robert Simmons Date: Mon, 17 Dec 2018 12:44:40 -0500 Message-ID: Subject: Re: SQLite vulnerability To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: F0D1E81E45 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=mrXZFo2K; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rsimmons0@gmail.com designates 2a00:1450:4864:20::236 as permitted sender) smtp.mailfrom=rsimmons0@gmail.com X-Spamd-Result: default: False [-6.49 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[6.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.53)[ip: (-9.65), ipnet: 2a00:1450::/32(-1.56), asn: 15169(-1.36), country: US(-0.08)]; NEURAL_HAM_SHORT(-0.95)[-0.953,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 17:44:54 -0000 I'm objecting to your tone, which is nearly always negative. The link I sent states the problem with your tone in a much better and more eloquent way than I can. I challenge you to change your tone when you post to the list in the future. On Mon, Dec 17, 2018 at 10:28 AM Roger Marquis wrote: > Robert Simmons acerbically replied: > > Since you may not read that essay on open source software, here is the > > salient point for you: > > - For users: remember when filing an issue, opening a pull request or > > making a comment on a project to be grateful that people spend their > free > > time to build software you get to use for free. Keep your frustrations > and > > The problem with Robert Simmons' line of reasoning: > > a) keeping vulxml up to date is a fixable problem, and > > b) ignoring the critical role of FreeBSD's security teams will only > result in FreeBSD boxes being hacked and end-users migrating to > Linux. > > Considering the lack of technical or logical arguments being made > against, for example, larger security teams or security team funding > (after all, we're only talking about timely entries in the vulnerability > database) it would not be unreasonable to conclude that opposition > viewpoints are simply Linux advocates. > > Roger Marquis > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Mon Dec 17 18:44:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CAC91348D64 for ; Mon, 17 Dec 2018 18:44:20 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pm4.ctc.com", Issuer "RapidSSL SHA256 CA - G3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 40314845F7 for ; Mon, 17 Dec 2018 18:44:19 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pps.filterd (pm4.ctc.com [127.0.0.1]) by pm4.ctc.com (8.16.0.27/8.16.0.27) with SMTP id wBHIe6Sj024416 for ; Mon, 17 Dec 2018 13:44:17 -0500 Received: from server3a.ctc.com ([10.160.17.12]) by pm4.ctc.com with ESMTP id 2pcuqsbw43-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Mon, 17 Dec 2018 13:44:17 -0500 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id wBHIiIuD009608 for ; Mon, 17 Dec 2018 13:44:18 -0500 Received: (from cameron@localhost) by linux116.ctc.com (8.14.4/8.14.4/Submit) id wBHIiGuF000732 for freebsd-security@freebsd.org; Mon, 17 Dec 2018 13:44:16 -0500 Date: Mon, 17 Dec 2018 13:44:16 -0500 From: "Cameron, Frank J" To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability Message-ID: <20181217184416.GL10650@linux116.ctc.com> References: <20181217120937.GC78044@smtp.iq.pl> <20181217141432.GJ10650@linux116.ctc.com> <13776b0f-8c74-341f-5fda-42ddd9624635@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <13776b0f-8c74-341f-5fda-42ddd9624635@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Rspamd-Queue-Id: 40314845F7 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of cameron@ctc.com designates 147.160.99.24 as permitted sender) smtp.mailfrom=cameron@ctc.com X-Spamd-Result: default: False [-1.67 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.80)[-0.802,0]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.21)[-0.207,0]; DMARC_NA(0.00)[ctc.com]; MX_GOOD(-0.01)[cached: pm4.ctc.com]; NEURAL_HAM_SHORT(-0.34)[-0.336,0]; RCVD_IN_DNSWL_NONE(0.00)[24.99.160.147.list.dnswl.org : 127.0.10.0]; IP_SCORE(-0.02)[country: US(-0.08)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7816, ipnet:147.160.0.0/16, country:US]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 18:44:20 -0000 On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote: > On 12/17/18 6:14 AM, Cameron, Frank J wrote: > > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a > > defense-in-depth, designed to head off future vulnerabilities by > > making shadow-tables read-only to ordinary SQL, along with some > > other restrictions. ... > > Just a random thought, but, why not turn on "SQLITE_DBCONFIG_DEFENSIVE" > for both base and ports by default, and, let people who need performance > turn it off manually by choice? > > I'm always in favor of turning on useful security, and, letting people > who need the extra performance turn off certain features manually > and consciously. I haven't seen anything to indicate that there's a performance difference with enabling the defensive flag, but an application that expected to be able to write to the shadow tables[*] would, I assume, crash if the the option was enabled. Upstream will not enable this mode by default: Shadow tables are read/write by default. Shadow tables only become read-only when the SQLITE_DBCONFIG_DEFENSIVE flag is set using sqlite3_db_config(). Shadow tables need to be read/write by default in order to maintain backwards compatibility. For example, the SQL text generated by the .dump command of the CLI writes directly into shadow tables. https://www.sqlite.org/vtab.html#xshadowname (FreshPorts lists close to 400 ports that depend on the sqlite3 port.) [*] When the defensive flag is enabled... The disabled features include but are not limited to the following: * The PRAGMA writable_schema=ON statement. * Writes to the sqlite_dbpage virtual table. * Direct writes to shadow tables. https://sqlite.org/c3ref/c_dbconfig_defensive.html ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ----------------------------------------------------------------- From owner-freebsd-security@freebsd.org Mon Dec 17 19:50:23 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8855134AA8A for ; Mon, 17 Dec 2018 19:50:23 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 9BFB8872FF for ; Mon, 17 Dec 2018 19:50:22 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 882A93ADE4 for ; Mon, 17 Dec 2018 11:50:15 -0800 (PST) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability In-Reply-To: Date: Mon, 17 Dec 2018 11:50:15 -0800 Message-ID: <32156.1545076215@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 9BFB8872FF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [-0.09 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.32)[-0.320,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[tristatelogic.com]; MX_GOOD(-0.01)[mx1.tristatelogic.com]; NEURAL_SPAM_LONG(0.51)[0.511,0]; NEURAL_HAM_SHORT(-0.05)[-0.052,0]; IP_SCORE(-0.02)[country: US(-0.08)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 19:50:24 -0000 I just wanted to say that I'm sorry to see there being a somewhat, testy exchange here on this list with regards to the SQLite issue, but at least it gives me an opportunity to crack a rather lame joke that I just made up by accident. I'll be talking with another security professional by phone later today (about an unrelated issue), and I just thought that I would comment to him that this SQLite issue has a lot of people on edge. (Get it?) Hey! These are the jokes folks! Worth what you paid for them. From owner-freebsd-security@freebsd.org Tue Dec 18 08:21:39 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6B08134543D; Tue, 18 Dec 2018 08:21:38 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5989F85C8F; Tue, 18 Dec 2018 08:21:38 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x42f.google.com with SMTP id g62so7754241pfd.12; Tue, 18 Dec 2018 00:21:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=dpndl5ctl3UPh3v3NI9kbfjXjmOOn2hrH1D3kpK8M4M=; b=IDj1cvu4gbgECOy7Nz2BfnNE+sOgHBKJ8HMdNE5+Xq8tSv9K1cC8iaACc+F/e6qD12 ViImineLNUqqcUIiZm5H8BVcFnci0eLzVMOUhfwZ6s4l9JX98ZuW3LTox/GaOG8/lQ3+ WQGDNsh3HmVeICqS8oqEKcf4TdK8qWego0dkAHfrlItJKvB2hCT6JEh7PY9qSwlt1tsy 4esTkzQphhI66ww2I77sGQNpuPyPSSJM4JoE1vOXRr84Bo0BbZr36tGuYWvdJa/NLJz3 2FNTrsKAUhjFxbzJy+Kx1IPfY3Wmz+LtGIvMIKom7dWsYCv59o9u3P7VUZ9d08r3aUiv Tg3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:cc:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=dpndl5ctl3UPh3v3NI9kbfjXjmOOn2hrH1D3kpK8M4M=; b=smewKGoY93xdOOw25uKQ+HRBj/iifmpz8CUhjChPTOUplhP6x0CbXBvSfiAbC1r+lR 78cx7sGxN1yeG9vh9CJzyTIWmK6ABGH4FJOHVkjop3DB0s6AN9sRQNizTfhhB33mCfLb TiIiBTmBk+vjbuBZedj+47z9wgLCF5q54lBitdss1kEhBSOoXZdeHfQP0h87Rvprv4u6 AWzLninLq0AD0+tSPTHGNbh2E/bS3RCfhAmhQWVp5LUpVonj3Lw3c1owqjqoFtWuC1X4 gve5lXtCEhTMX6TQOYRz6ey7Pv8RT7pmkDsygNQjqK2JHRIFEAePcOJ6aAs4WTZgR3zF 3fIA== X-Gm-Message-State: AA+aEWYs2HGh+EBtwDFm287/JMdeOpDOwEgTqoNJGZK05m5Yp/ke//Om FMqcA6jqV2WedErqNRr8/Sd0MPjC X-Google-Smtp-Source: AFSGD/WJUoykJ0u+ntiJ8yNkNSGXGaUgxi4q3hNc6Yq1PFu8s9P3MTXicMCNxu5Z0ntUMul0LUWKIQ== X-Received: by 2002:a62:2f06:: with SMTP id v6mr15980482pfv.216.1545121296947; Tue, 18 Dec 2018 00:21:36 -0800 (PST) Received: from [192.168.1.105] (119-18-15-55.cust.aussiebb.net. [119.18.15.55]) by smtp.gmail.com with ESMTPSA id z13sm20286735pgf.84.2018.12.18.00.21.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Dec 2018 00:21:36 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: SQLite vulnerability To: freebsd-security@freebsd.org Cc: ports-secteam@FreeBSD.org, "secteam@freebsd.org" References: <20181217084435.GC4757@spindle.one-eyed-alien.net> <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org> From: Kubilay Kocak Message-ID: <1594cbdb-46eb-a4cd-2e97-bc6164b2824e@FreeBSD.org> Date: Tue, 18 Dec 2018 19:21:32 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Thunderbird/64.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 5989F85C8F X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2018 08:21:39 -0000 On 18/12/2018 3:06 am, Roger Marquis wrote: > On Mon, 17 Dec 2018, Kubilay Kocak wrote: >> Pretty close :) >> Original source/announcement: >> https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed >> [December 14th, 2018] > > Not original though Tenable may have based their announcement on: > > > https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert/ >   [December 11th, 2014] > >> I've already re-opened Issue #233712 [1], which was our >> databases/sqlite3 port update to 3.26.0 and requested a merge to >> quarterly. > > Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the > sqlite3 > port on December 4th. > > Roger Marquis Created a parent tracking bug linking the existing issues, and for any other issues to be linked: SQLite: Remote code execution vulnerability (Magellan) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234112 From owner-freebsd-security@freebsd.org Wed Dec 19 20:52:22 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CAAF1344157 for ; Wed, 19 Dec 2018 20:52:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D7946D1BB; Wed, 19 Dec 2018 20:52:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 1027F19B4A; Wed, 19 Dec 2018 20:52:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20181219205222.1027F19B4A@freefall.freebsd.org> Date: Wed, 19 Dec 2018 20:52:22 +0000 (UTC) X-Rspamd-Queue-Id: 2D7946D1BB X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.79 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.97)[-0.966,0]; NEURAL_HAM_SHORT(-0.86)[-0.864,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-0.96)[-0.960,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Dec 2018 20:52:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:15.bootpd Security Advisory The FreeBSD Project Topic: bootpd buffer overflow Category: core Module: bootpd Announced: 2018-12-19 Credits: Reno Robert Affects: All supported versions of FreeBSD. Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE) 2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1) 2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE) 2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7) CVE Name: CVE-2018-17161 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bootpd utility implements an Internet Bootstrap Protocol (BOOTP) server as defined in RFC951, RFC1532, and RFC1533. II. Problem Description Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. III. Impact It is possible that the buffer overflow could lead to a Denial of Service or remote code execution. IV. Workaround Firewall rules may be used to limit reception of bootp packets to only trusted networks or hosts. Note that the bootp protocol is typically limited to a common layer 2 broadcast domain, although the bootpgw gateway can forward bootp requests and responses between subnets. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart bootpd if it is running in standalone mode. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc # gpg --verify bootpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r342228 releng/12.0/ r342230 stable/11/ r348229 releng/11.2/ r342231 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7 YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/ S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F 21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56 oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykpy7qn/aJQehfPfcfbeA dvQ5khiLr0rMUeg9HU6oHu8+Lp4X+wQc3lCF2rXe+oqRierywec= =jlRR -----END PGP SIGNATURE-----