From owner-freebsd-security@freebsd.org Mon Dec 17 08:57:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01E4A13361F4; Mon, 17 Dec 2018 08:57:09 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F05A8A8FE; Mon, 17 Dec 2018 08:57:08 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x436.google.com with SMTP id q1so6039322pfi.5; Mon, 17 Dec 2018 00:57:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bwd8Sd780I0IB6GoGTj1RPOHF+m/D95vy1REdHq/d54=; b=qx7+NV0nT0+cw+coUWKUqi3iTsA1j989jgOFE/r0A31xnkGlBHDFsTqEajGPRt/emY 3aKHT9XDgxoXWf+B7R3oYzSPACa2ZHr8ycvlPmQQ3yC7BLH4ksyLFl0MWOtcFpbmHU8a RVgmp1Kh/ymvxZJWP2I1Jxt5tDo1w69jZC7dSSIoN60hJLHhLQ16rmIKZcKUQ4jUwAy2 mNzs4xcD9gJ7BHvSwNO14RvFp1z+uFeMA8z9Tz3xvca43WP7C1wIzfMs8o2bUnyUOL62 9ExEuqlmOCXZgiL4k7qI2MKOd0dvARIrF+gg5uipsDpPVYKB6RGdvy3q3fAT75fdEMFx eUDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:cc:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=bwd8Sd780I0IB6GoGTj1RPOHF+m/D95vy1REdHq/d54=; b=TExo1fwJHrh4jC1msvppwQdf2MPrI5XCkHA4xSXlauJTMa3fLvMeP9cjKVy4uoDPec p1sQNDtRuwNTj7TJf7TBmdBAYMYwLHDQhJbxeL/0ieiVs81fDStcswOVfj6AV2NhLChj SmXA/s0geFlOhYXNAxORUO5Cw3u9rQnM8FrdEWEo7luHF63dQ4dHvUMOeB2WudKK0M51 li3Ow+yLg3gi3u7GwYeF0ufUjP5nStqt5oOtzxE+Aw79q8lK2fd7CxhmzGJKl9ZCwneZ 7ZZueN3UzyW9tp30vAIe8KLxWXmyoif0BS1+MD8DcHswqxZFf6BvPqiLwZqrUNsKSQNA fKvw== X-Gm-Message-State: AA+aEWZQsmC9Ly7EVGhSNJ/B5zMrd7W846DErvNL6dOjucYRKItZEID5 aQCOnuQIXMSVBTWCKbmFntIVj05t X-Google-Smtp-Source: AFSGD/U0mItdrEylucwIBVg7t+Qsb7ZPLuT6tUImHweHiR98tRCoxQWTrL1OQUTBh3WiyfJwrBsOaQ== X-Received: by 2002:a63:f844:: with SMTP id v4mr8166523pgj.82.1545037027249; Mon, 17 Dec 2018 00:57:07 -0800 (PST) Received: from [192.168.1.105] (119-18-15-55.cust.aussiebb.net. [119.18.15.55]) by smtp.gmail.com with ESMTPSA id r83sm19958113pfc.115.2018.12.17.00.57.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Dec 2018 00:57:06 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: SQLite vulnerability To: Brooks Davis , Roger Marquis Cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org References: <20181217084435.GC4757@spindle.one-eyed-alien.net> From: Kubilay Kocak Message-ID: <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org> Date: Mon, 17 Dec 2018 19:57:01 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Thunderbird/64.0 MIME-Version: 1.0 In-Reply-To: <20181217084435.GC4757@spindle.one-eyed-alien.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 6F05A8A8FE X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; TAGGED_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:57:09 -0000 On 17/12/2018 7:44 pm, Brooks Davis wrote: > On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: >> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all >> over the news for a week now. It is patched on all Linux platforms but >> has not yet shown up in FreeBSD's vulxml database. Does this mean: >> >> A) FreeBSD versions prior to 3.26.0 are not vulnerable, or >> >> B) the ports-secteam is not able to properly maintain the vulnerability >> database? >> >> If the latter perhaps someone from the security team could let us know >> how such a significant vulnerability could go unflagged for so long and, >> more importantly, what might be done to address the gap in reporting? > > Almost certainly: > > C) This vunerability was reported in a random blog post on a Sunday > without any details so people haven't caught up with it yet. > > -- Brooks > Pretty close :) Original source/announcement: https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed [December 14th, 2018] I've already re-opened Issue #233712 [1], which was our databases/sqlite3 port update to 3.26.0 and requested a merge to quarterly. Chromium's fixes are in 71.0.3578.80 [2], there is an existing www/chromium Bugzilla issue to update to 73.0.3640.0 [3], which has been tracked as a security update and for MFH. Any ports/packages that embed/bundle their own sqlite3 library will also need updating. [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233712 [2] https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233990 [4] https://news.ycombinator.com/item?id=18685296