Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sqlite-replication: fix build + CVE-2019-16168 #73002

Merged
merged 1 commit into from Nov 8, 2019

Conversation

@d-goldin
Copy link
Contributor

d-goldin commented Nov 7, 2019

Motivation for this change

CVE fix in #71695 broke this package, as it's an older
version and additionaly disables amalgamation.

Related:
Fixes: #72992
Closes: #72997

The supplied patch is modified minimally to fit this version (slight
line number change for analyze.c).

The fix was verified using
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
as for the previous fix.

@otwieracz: Could you maybe try this one out and see how this one works for you?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @jokogr @dtzWill @andir

@d-goldin d-goldin changed the title sqlite-replicated: fix build + CVE-2019-16168 sqlite-replication: fix build + CVE-2019-16168 Nov 7, 2019
@d-goldin

This comment has been minimized.

Copy link
Contributor Author

d-goldin commented Nov 7, 2019

To ease review, a diff of the original vs modified patch:

--- vpatch?from=4f5b2d938194fab7&to=98357d8c1263920b	2019-11-07 23:09:05.442763233 +0100
+++ cve_2019_16168_327_backport.patch	2019-11-07 22:48:12.912811831 +0100
@@ -1,8 +1,11 @@
+This is a backport of https://www.sqlite.org/src/vpatch?from=4f5b2d938194fab7&to=98357d8c1263920b
+with a tiny adjustment for 3.27.2 for the sqlite-replication package.
+
 Index: src/analyze.c
 ==================================================================
 --- src/analyze.c
 +++ src/analyze.c
-@@ -1448,11 +1448,13 @@
+@@ -1495,11 +1495,13 @@
      pIndex->noSkipScan = 0;
      while( z[0] ){
        if( sqlite3_strglob("unordered*", z)==0 ){
@d-goldin d-goldin force-pushed the d-goldin:fix_sqlite_replicated branch from 92ae8dc to 29ad848 Nov 7, 2019
@ofborg ofborg bot requested review from edolstra and np Nov 7, 2019
pkgs/top-level/all-packages.nix Outdated Show resolved Hide resolved
CVE fix in #71695 broke this package, as it's an older
version and additionaly disables amalgamation.

The supplied patch is modified minimally to fit this version (slight
line number change for analyze.c).

The fix was verified using
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
as for the previous fix.
@d-goldin d-goldin force-pushed the d-goldin:fix_sqlite_replicated branch from 29ad848 to 3fe3061 Nov 7, 2019
@otwieracz

This comment has been minimized.

Copy link
Contributor

otwieracz commented Nov 8, 2019

@d-goldin I can confirm that it resolves my original issue.

@andir andir merged commit d9a83d3 into NixOS:release-19.09 Nov 8, 2019
16 checks passed
16 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
sqlite-replication on aarch64-linux Success
Details
sqlite-replication on x86_64-darwin Success
Details
sqlite-replication on x86_64-linux Success
Details
@d-goldin d-goldin deleted the d-goldin:fix_sqlite_replicated branch Nov 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.