Page MenuHomeFreeBSD
Differential D7651

Patches for stable/10 to address the sqlite3 the tmpdir selection vulnerability (CVE-2016-6153).
AbandonedPublic
Actions

Authored by cy on Aug 26 2016, 1:40 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Feb 11, 10:38 PM
Unknown Object (File)
Dec 12 2025, 4:24 AM
Unknown Object (File)
Nov 18 2025, 2:42 PM
Unknown Object (File)
Nov 9 2025, 9:59 AM
Unknown Object (File)
Nov 9 2025, 5:51 AM
Unknown Object (File)
Nov 9 2025, 2:01 AM
Unknown Object (File)
Oct 20 2025, 7:04 PM
Unknown Object (File)
Oct 15 2025, 9:04 PM
View All 45 Files
Subscribers
None

Details

Reviewers
kib
peter
pfg
delphij
glebius
imp
ian
Summary

This patch addresses he sqlite3 the tmpdir selection vulnerability (CVE-2016-6153) for stable/10. The patches are discussed by Debian here: https://lists.debian.org/debian-lts/2016/07/msg00004.html. Upline sqlite patches are as follows:

http://www.sqlite.org/cgi/src/info/67985761aa93fb61
http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
http://www.sqlite.org/cgi/src/info/614bb709d34e1148

Since code for sqlite 1.8 in stable/10's sqlite3 source files is laid out much differently I had to glean the changed statements from the upline patches to build a patch for stable/10. I'd appreciate a review.

Should anyone else review this?

Would we prefer to MFC sqlite3 1.14.1 to stable/10 instead?

Test Plan

make tinderbox on universe10a succeeded.

Testing using svnlite on 10.3-STABLE (on my testbed) worked.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

cy updated this revision to Diff 19704.Aug 26 2016, 1:40 AM
cy retitled this revision from to Patches for stable/10 to address the sqlite3 the tmpdir selection vulnerability (CVE-2016-6153)..
cy updated this object.
cy edited the test plan for this revision. (Show Details)
cy added reviewers: delphij, glebius, kib, ian, peter, imp, pfg.
cy set the repository for this revision to rS FreeBSD src repository - subversion.
kib edited edge metadata.Aug 26 2016, 12:11 PM

sqlite is the internal library in base, nothing non-base should ever access its symbols. I believe that the database files are compatible or auto-upgraded between sqlite versions.

As such, I think that all data point out that upgrade to 1.14 is much better route for stable/10 as well, because it avoids diverging from mainline.

cy abandoned this revision.Aug 26 2016, 9:07 PM

Excellent! I wasn't sure if it was acceptable to MFC such a large revision jump to stable/10, it made a lot more sense but I wasn't sure until I asked. I'll MFC to stable/10 then. Thanks for the input.

cy mentioned this in rS305003: MFC r304747:.Aug 29 2016, 12:57 PM

Revision Contents
Changeset List

PathSize
contrib/
sqlite3/
21 lines

Diff 19704

View Options

contrib/sqlite3/sqlite3.c

Loading...