Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Dec 2018 19:57:01 +1100
From:      Kubilay Kocak <koobs@FreeBSD.org>
To:        Brooks Davis <brooks@freebsd.org>, Roger Marquis <marquis@roble.com>
Cc:        freebsd-security@freebsd.org, ports-secteam@FreeBSD.org
Subject:   Re: SQLite vulnerability
Message-ID:  <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org>
In-Reply-To: <20181217084435.GC4757@spindle.one-eyed-alien.net>
References:  <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com> <20181217084435.GC4757@spindle.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 17/12/2018 7:44 pm, Brooks Davis wrote:
> On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
>> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
>> over the news for a week now.  It is patched on all Linux platforms but
>> has not yet shown up in FreeBSD's vulxml database.  Does this mean:
>>
>>    A) FreeBSD versions prior to 3.26.0 are not vulnerable, or
>>
>>    B) the ports-secteam is not able to properly maintain the vulnerability
>>    database?
>>
>> If the latter perhaps someone from the security team could let us know
>> how such a significant vulnerability could go unflagged for so long and,
>> more importantly, what might be done to address the gap in reporting?
> 
> Almost certainly:
> 
>    C) This vunerability was reported in a random blog post on a Sunday
>    without any details so people haven't caught up with it yet.
> 
> -- Brooks
> 

Pretty close :)

Original source/announcement:

https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed 
[December 14th, 2018]

I've already re-opened Issue #233712 [1], which was our 
databases/sqlite3 port update to 3.26.0 and requested a merge to quarterly.

Chromium's fixes are in 71.0.3578.80 [2], there is an existing 
www/chromium Bugzilla issue to update to 73.0.3640.0 [3], which has been 
tracked as a security update and for MFH.

Any ports/packages that embed/bundle their own sqlite3 library will also 
need updating.

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233712
[2] 
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
[3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233990
[4] https://news.ycombinator.com/item?id=18685296

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14b152b6-b994-2b1a-c1ac-0fc2f606149a>