Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1

Pierre Gruet pgt at debian.org
Tue Jun 13 23:01:18 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerial-sqlite-jdbc at packages.debian.org
Control: affects -1 + src:xerial-sqlite-jdbc

Dear Release team,

I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.

[ Reason ]
Grave bug #1036706 has been filled a few days before the release of Bookworm.
This is a security bug associated to CVE-2023-32697. Although it has been
marked no-dsa by the security team, we exchanged a few emails and our
conclusion was the fix of this bug, which amounts to cherry-pick one commit of
upstream, should land in Bookworm during a point release.

[ Impact ]
CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
package are mainly used in a single-user environment, but possibly it is also
used in a network environment by some users for their own programs, and this is
where there might be some hazard.

[ Tests ]
The package was built in a Bookworm chroot and its autopkgtest is passing.

[ Risks ]
Code is very simple, only 2 lines are changed. Upstream has published it
three weeks ago and it has issued new upstream versions since then.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
which uses a random UUID instead of the hash of some fixed address in order to
define the DB file name.



Thanks for your help,

Best,

-- 
Pierre
-------------- next part --------------
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-02-04 14:24:45.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-06-13 23:19:59.000000000 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet <pgt at debian.org>  Tue, 13 Jun 2023 23:19:59 +0200
+
 xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	1970-01-01 01:00:00.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	2023-06-13 23:17:23.000000000 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet <pgt at debian.org>
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
++++ b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+         }
+ 
+         String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-        String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++        String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+         File dbFile = new File(tempFolder, dbFileName);
+ 
+         if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-02-02 17:16:53.000000000 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-06-13 23:10:58.000000000 +0200
@@ -7,3 +7,4 @@
 skip_OSInfoTest.patch
 tests_without_archunit-junit5_and_some_assertions.patch
 junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch

More information about the pkg-java-maintainers mailing list