Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org Control: affects -1 + src:xerial-sqlite-jdbc
Dear Release team, I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. [ Reason ] Grave bug #1036706 has been filled a few days before the release of Bookworm. This is a security bug associated to CVE-2023-32697. Although it has been marked no-dsa by the security team, we exchanged a few emails and our conclusion was the fix of this bug, which amounts to cherry-pick one commit of upstream, should land in Bookworm during a point release. [ Impact ] CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the package are mainly used in a single-user environment, but possibly it is also used in a network environment by some users for their own programs, and this is where there might be some hazard. [ Tests ] The package was built in a Bookworm chroot and its autopkgtest is passing. [ Risks ] Code is very simple, only 2 lines are changed. Upstream has published it three weeks ago and it has issued new upstream versions since then. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, which uses a random UUID instead of the hash of some fixed address in order to define the DB file name. Thanks for your help, Best, -- Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.000000000 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.000000000 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet <p...@debian.org> Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.000000000 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.000000000 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet <p...@debian.org> +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java ++++ b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +- String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++ String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.000000000 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.000000000 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch