Bugzilla – Bug 1195771
VUL-0: perl-DBD-SQLite: embedded sqlite version means that security fixes are not addressed
Last modified: 2022-09-20 11:31:41 UTC
It was recently discovered that the perl-DBD-SQLite embeds a separate version of sqlite and is not using the officially maintained version by SUSE. This means that security updates are not automatically fixed, if they are fixed in the system version of sqlite. Is there a way to use the sqlite version that is officially maintained or do we need to make sure that all sqlite vulnerabilities are separately fixed in perl-DBD-SQLite too?
Is this needed in Factory only or also in any other codestream?
Factory fixed: https://build.opensuse.org/request/show/960437 Ping Robert.
Sorry for the late response! (In reply to Josef Möllers from comment #1) > Is this needed in Factory only or also in any other codestream? I would be interested to get this into general support products. So SUSE:SLE-12:Update/perl-DBD-SQLite and SUSE:SLE-15-SP3:Update/perl-DBD-SQLite would be great to have, so we can get this in SLE12-SP5 and SLE15-SP3 at the very least. Let me know if there are problems with that.
I'm afraid this won't work with SUSE:SLE-12:Update. There are differences between some error messages. Eg INSERTing a value twice into a UNIQUE column: existing error message contains "column a is not unique" sqlite3 error message contains "UNIQUE constraint failed" I am not sure how this will work with existing scripts. It does look good for SUSE:SLE-15-SP3:Update, though.
SUSE:SLE-15-SP3:Update - https://build.suse.de/request/show/267375
Assigning back to security team.
We are now having problems in openQA tests on Tumbleweed / Factory: https://progress.opensuse.org/issues/108272 I would assume we would see problems in production, but because the builds fail for Leap, production has still the old version. Sebastian writes: "the XS code is heavily dependent on the actual SQLite version it ships with".
Hi Josef, we are currently shipping (and supporting) perl-DBD-SQLite to the following codestreams: - SUSE:SLE-11:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP3:Update hence we need to apply the same change to all of the above packages. If I understood correctly that won't be easy on older codestreams due to the fact that there is some breaking changes between the embedded sqlite version and the one provided at system level. I may see a couple of solution here: 1. we have another package named sqlite2 in SUSE:SLE-11:Update and SUSE:SLE-12:Update, have you tried to uses that one instead of sqlite3? 2. we'll ask you to backport all the security-patch to the embedded sqlite version of each codestream
I am stepping in as the maintainer of SQLite. (In reply to Gianluca Gabrielli from comment #8) > I may see a couple of solution here: > 1. we have another package named sqlite2 in SUSE:SLE-11:Update and > SUSE:SLE-12:Update, have you tried to uses that one instead of sqlite3? sqlite2 is not maintained anymore and neither the API nor the on-disk format of the database files are compatible with version 3. > 2. we'll ask you to backport all the security-patch to the embedded sqlite > version of each codestream That doesn't make sense, because often it is not even decidable whether an old version is "vulerable" (see below) to a certain CVE or not, as it already has been discussed many times in relation to the SQLite package itself. Additionally about all CVEs that have ever been reported against SQLite are no security issues whatsoever, as upstream explains in detail here: https://www.sqlite.org/cves.html
can we try a bit more on SLE12? i dont think it will be much effort to switch to system sqlite3. or can we update the SLE12 perl-DBD-SQLite to the 15-sp3 level perhaps if it is compatible?
openSUSE-SU-2022:0953-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1195771 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): perl-DBD-SQLite-1.66-150300.3.3.1 openSUSE Leap 15.3 (src): perl-DBD-SQLite-1.66-150300.3.3.1
SUSE-SU-2022:0953-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1195771 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): perl-DBD-SQLite-1.66-150300.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): perl-DBD-SQLite-1.66-150300.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Marcus Meissner from comment #10) > can we try a bit more on SLE12? i dont think it will be much effort to > switch to system sqlite3. > > > or can we update the SLE12 perl-DBD-SQLite to the 15-sp3 level perhaps if it > is compatible? No, that won't work because the SLE-12 sqlite3 library is too old (sqlite3-3.8.x) and misses some required symbols (sqlite3_strglob, sqlite3_strlike). SLE-15 has sqlite3-3.36.x.
AFAICS we don't have any maintained products anymore that are based on the SLE-12-SP0 code base, so there is no need to update perl-DBD-SQLite there. It should be enough to submit the newer perl package to SP1 only, which has a much more recent version of SQLite.
@Josef: could you confirm that the version of `perl-DBD-SQLite` in SUSE:SLE-12:Update could work with sqlite3 version shipped in SUSE:SLE-12-SP1:Update or SUSE:SLE-12-SP2:Update?? If this is the case, we could branch (fork) `perl-DBD-SQLite` to SUSE:SLE-12-SP1:Update or SUSE:SLE-12-SP2:Update, while keeping the same version and making it use the `sqlite3` system package. Then if that works, from our side we'll update _channels files accordingly, in order to make our products to take `perl-DBD-SQLite` from the SUSE:SLE-12-SP1:Update or SUSE:SLE-12-SP2:Update codestream, and set SUSE:SLE-12:Update/perl-DBD-SQLite as unsupported. Otherwise, if we need to version bump `perl-DBD-SQLite` then we need to file an ECO request first.
(In reply to Gianluca Gabrielli from comment #17) > @Josef: could you confirm that the version of `perl-DBD-SQLite` in > SUSE:SLE-12:Update could work with sqlite3 version shipped in > SUSE:SLE-12-SP1:Update or SUSE:SLE-12-SP2:Update?? No. The per-DBD-SQLite in SUSE:SLE-12:Update has an sqlite3 version 3.7.15 embedded while sqlite3 in SLE-12-SP1 and -SP2 is at 3.36.0. While it compiles OK, the tests fail due to * different error messages * an incompatibility in the execution status. I was only able to build the pakcage with the sources from SUSE:SLE-15-SP3:Update (DBD-SQLite-1.66.tar.gz).
I do think this bug is not relevant as Reinhard has pointed out in comment #9. So I wonder if we should really go through all this trouble and link perl-DBD-SQLite to an external sqlite3 library which will bring no actual improvement. Unless, of course, customers demand this, but then we should point them at the paper linked in comment #9.
Ping Robert Frohl. OK to close this?
As I haven't gotten a reply and since it is my last day at SUSE today, I'm assigning this bug to Reinhard Max to follow up.
(In reply to Josef Möllers from comment #20) > Ping Robert Frohl. > OK to close this? I think having it fixed in SLE-15-SP3 and newer is good enough.
closing