159 lines
6.5 KiB
Text
159 lines
6.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:22.sqlite Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple vulnerabilities in sqlite3
|
|
|
|
Category: contrib
|
|
Module: sqlite3
|
|
Announced: 2020-08-05
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-06-15 03:10:53 UTC (stable/12, 12.1-STABLE)
|
|
2020-08-05 17:13:08 UTC (releng/12.1, 12.1-RELEASE-p8)
|
|
2020-06-15 03:10:53 UTC (stable/11, 11.4-STABLE)
|
|
2020-08-05 17:13:08 UTC (releng/11.4, 11.4-RELEASE-p2)
|
|
2020-08-05 17:13:08 UTC (releng/11.3, 11.3-RELEASE-p12)
|
|
CVE Name: CVE-2020-11655, CVE-2020-11656, CVE-2020-13434,
|
|
CVE-2020-13435, CVE-2020-13630, CVE-2020-13631,
|
|
CVE-2020-13632
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
SQLite is an SQL database engine in a C library. Programs that link the
|
|
SQLite library can have SQL database access without running a separate RDBMS
|
|
process. The distribution comes with a standalone command-line access
|
|
program (sqlite3) that can be used to administer an SQLite database and which
|
|
serves as an example of how to use the SQLite library.
|
|
|
|
FreeBSD includes SQLite as a private library for base system usage that is
|
|
not generally exposed for third party packages to use.
|
|
|
|
II. Problem Description
|
|
|
|
Multiple vulnerabilities have been published including improper input
|
|
validation (CVE-2020-11655), use after free (CVE-2020-11656, CVE-2020-13630),
|
|
integer overflow (CVE-2020-13434), null pointer dereference (CVE-2020-13435,
|
|
CVE-2020-13632), and namespace collision (CVE-2020-13631).
|
|
|
|
III. Impact
|
|
|
|
Malicious SQL statements could crash, hijack processes, or cause data
|
|
corruption.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available. The FreeBSD security team is not aware of any
|
|
base system components that use SQLite in such a way as to expose these
|
|
vulnerabilities to untrusted or remote users, but is updating SQLite out of
|
|
an abundance of caution.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.1]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.12.1.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.12.1.patch.asc
|
|
# gpg --verify sqlite.12.1.patch.asc
|
|
|
|
[FreeBSD 11.4]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.4.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.4.patch.asc
|
|
# gpg --verify sqlite.11.4.patch.asc
|
|
|
|
[FreeBSD 11.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.3.patch.asc
|
|
# gpg --verify sqlite.11.3.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all daemons that use the library, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r362190
|
|
releng/12.1/ r363922
|
|
stable/11/ r362190
|
|
releng/11.4/ r363922
|
|
releng/11.3/ r363922
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11655>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11656>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13434>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13435>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13630>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13631>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13632>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8tucBfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cK6qw//Upt4K3kxobd+a8LHSUvDiVfmMXsfOjXarcXrVfgjdYgv1wW/t2zTs8Zp
|
|
vlLaNHdU3o0MuNkQ6otzB1gnajZk947tkmT7MTFUNPy9dbThusq2zd17jdJ2UjGs
|
|
9WQK8ZdQ8RfOqV80CMC2m9hO+DUhP+WpOPmCGnTE2pCluWX5ZeclpnJMmopXmtHz
|
|
2h6tMiIRHkUx5rZl0mPXOJLnRfqWEG6B15FrbVvbtLI9uM2usgh2QAjAO55zlkqg
|
|
1mbYZqNxW7GrH91LJia/qm6fjqV3xyfESHJ7lSN6jbbYxASwa7tkWJMDIos8bhP5
|
|
UXBQVFwHyndX7jzyGGYuxIoYyDBO7rmw7uGUMskSemYfDXhg38cSGLomsDrQ7z94
|
|
YrmL5tDQln5H03LgzZQCVeetrFRfign4Bca5ZO8trxGDlptjj8BEAMvTqkZR9wVs
|
|
wJ2bV04nYJApBBnWiq+4fL/Yl8ZjvfzEX/8/a+Df/4e6rbomLp1bC3m2dNm9L/1J
|
|
CRvEbvyT1Qy9StDoCmpJ7fibXjsseK4qPN/hA8r+umpsJeDVB34tH8r4CUOMqyCU
|
|
NHAAhvDm6xaICWidH98emsXTKQ8KWwa6cXmCVXyl0DjU9ls9nPN6iQC4eZiS2N4J
|
|
UbAtpJpW4G4VJnHM4Q6UW/UNVYFpzoI/ORXJaH9/AI5wa+s9Yt8=
|
|
=HvUS
|
|
-----END PGP SIGNATURE-----
|