diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-EN-19:03.sqlite.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-EN-19:03.sqlite.asc | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc b/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc deleted file mode 100644 index c5deeb3a96..0000000000 --- a/share/security/advisories/FreeBSD-EN-19:03.sqlite.asc +++ /dev/null @@ -1,145 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -============================================================================= -FreeBSD-EN-19:03.sqlite Errata Notice - The FreeBSD Project - -Topic: sqlite update - -Category: contrib -Module: sqlite3 -Announced: 2019-01-09 -Credits: Cy Schubert -Affects: All supported versions of FreeBSD. -Corrected: 2018-12-21 01:58:01 UTC (stable/12, 12.0-STABLE) - 2019-01-09 18:47:10 UTC (releng/12.0, 12.0-RELEASE-p2) - 2018-12-21 02:04:15 UTC (stable/11, 11.2-STABLE) - 2019-01-09 18:50:27 UTC (releng/11.2, 11.2-RELEASE-p8) -CVE Name: CVE-2018-20346, CVE-2018-20505, CVE-2018-20506 - -For general information regarding FreeBSD Errata Notices and Security -Advisories, including descriptions of the fields above, security -branches, and the following sections, please visit -<URL:https://security.FreeBSD.org/>. - -I. Background - -SQLite is an SQL database engine in a C library. Programs that link the -SQLite library can have SQL database access without running a separate RDBMS -process. The distribution comes with a standalone command-line access -program (sqlite3) that can be used to administer an SQLite database and which -serves as an example of how to use the SQLite library. - -II. Problem Description - -According to https://blade.tencent.com/magellan/index_en.html, the -vulnerabilities known as Magellan are a group vulnerabilities that exist -in sqlite3, documented by CVE-2018-20346, CVE-2018-20505, and CVE-2018-20506. - -When the FTS3 extension is enabled an integer overflow resulting in a buffer -overflow when allowing remote attackers to run arbitrary SQL statements which -can be leveraged to execute arbitrary code. - -III. Impact - -The vulnerabilities were discovered by Tencent Blade Team and verified to be -able to successfully implement remote code execution in Chromium browsers. - -IV. Workaround - -No workaround is available. - -V. Solution - -Perform one of the following: - -1) Upgrade your system to a supported FreeBSD stable or release / security -branch (releng) dated after the correction date. - -2) To update your system via a binary patch: - -Systems running a RELEASE version of FreeBSD on the i386 or amd64 -platforms can be updated via the freebsd-update(8) utility: - -# freebsd-update fetch -# freebsd-update install - -3) To update your system via a source code patch: - -The following patches have been verified to apply to the applicable -FreeBSD release branches. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -[FreeBSD 11.2] -# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-11.patch -# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-11.patch.asc -# gpg --verify sqlite-11.patch.asc - -[FreeBSD 12.0] -# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-12.patch -# fetch https://security.FreeBSD.org/patches/EN-19:03/sqlite-12.patch.asc -# gpg --verify sqlite-12.patch.asc - - -b) Apply the patch. Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile the operating system using buildworld and installworld as -described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. - -Restart all daemons that use the library, or reboot the system. - -VI. Correction details - -The following list contains the correction revision numbers for each -affected branch. - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/12/ r342291 -releng/12.0/ r342895 -stable/11/ r342292 -releng/11.2/ r342896 -- ------------------------------------------------------------------------- - -To see which files were modified by a particular revision, run the -following command, replacing NNNNNN with the revision number, on a -machine with Subversion installed: - -# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base - -Or visit the following URL, replacing NNNNNN with the revision number: - -<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> - -VII. References - -<URL:https://blade.tencent.com/magellan/index_en.html> - -<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234113> - -The latest revision of this advisory is available at -<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:03.sqlite.asc> ------BEGIN PGP SIGNATURE----- - -iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2RdFfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD -MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n -5cLtJg/9EM0jQbTBrSgVy5X1AyQ2rcFz9KbjtA0L48wOuOLiAh7eeYxh4Wxuz9k1 -QnEJavMbpVr71yhmt6maEAbRzyGUvemDh4vlu0wjcYSlEzcvk7xaRzfXimippxky -GumFBCvs7UKDIiGRr62ukmxu3FgfEaTM/Cc4bNcuV5k4za+DWIGTu+97i0+B2ieX -/IZ5hQq42w1YIUY5QOy2vj87rnQf2t+uShcBjRg8HsnPsG9BfQfI8vfuWjjtaKMI -iva++F5UJWcsykjZo5J3aaZFxnHsW2hs3buQN+AhoEt7oKdGquOHdweSw8xtSlp9 -3Y+qj+veD7u4Mt95OtnYrJOg8Kynlrzg5uMDbNGbyqktbxfpi2gqBbPEVmx2+nGj -Aj9PDSHMliBZsVKvr1opExfYp4HL0LB9Kqhato08lFxs05TUxiT6LRcel/iXiIfl -vCqfWhKJYVZ+alAW+Kjic6iWw7AtmVLbV64dDu03jxS/14RtRp1Hbk1BRCrnJeLn -sLSdFj6bi2mQx6OXAd9G9jhReoxylyZwRXyhPSsPG1E4mzX6ZRbJfnkriSazW4hq -F+PjTyXidn3uhS6z6CZB08Ltw2NBd3baRl/TQBEiFHd6SSGByqX6gMguK/tQV92U -uM/Q4Ak4H/Q+nEN8/LdXioW0P7ZEC6X/9GXKWv+bUs6LjcZXftA= -=TG5W ------END PGP SIGNATURE----- |