[18.09] sqlite: 3.25.3 -> 3.26.0 #52141
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit 2d7c6d0)
andir
added
1.severity: security
8.has: port to stable
|
It looks like Google upgraded to 3.25.3, not 3.25.0? There are things that look like security fixes in |
|
Yeah sorry. I meant 3.25.3.
…On Sat, 15 Dec 2018, 02:47 Ivan Kozik, ***@***.***> wrote:
It looks like Google upgraded to 3.25.3, not 3.25.0?
There *are* things that look like security fixes in branch-3.25.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#52141 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dFh2cnXu7UDb8H4dVff5Grwe7ycLks5u5FTFgaJpZM4ZUgJY>
.
|
|
I'm also confused by that (from before reading about your confusion). It's theoretically possible that chrome's particular use cases were easier to fix or something like that. 3.26.0 release notes don't seem to contain any "fixes". |
|
@vcunat, it looks to me like they might have tried to obfuscate the fixes… I vote for merging. |
obadz
approved these changes
Dec 15, 2018
|
(I will merge in 1h unless I hear an objection) |
|
According to https://worthdoingbadly.com/sqlitebug/ the fix is in mackyle/sqlite@52e2764cd which seems to be in versions Sqlite 3.25.1 and up. I still think we should merge but I'll now wait for an objection for 6 hours instead of 1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
https://blade.tencent.com/magellan/index_en.html
The page suggests claims that sqlite <3.26.0 is vulnerable to "Remote code execution, leaking program memory or causing program crashes".
This PR backports the commit made by @dtzWill on master (PR #51352).
I am still a bit confused by the fact that google upgraded to 3.25.0 to fix the issue https://chromium.googlesource.com/chromium/src/+/c368e30ae55600a1c3c9cb1710a54f9c55de786e. If that is indeed sufficient we do not need merge this straight into the release branch but can let all the rebuilds take place on staging instead.
Things done
I rebuild
python3Packages.sqlalchemysuccessfully. It comes with a larger test suite that seems like a good "smoketest".sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)