Hi Debian Security Team,

I am inquiring on Debian Bullseye as it relates to:

https://security-tracker.debian.org/tracker/CVE-2019-8457

Specifically, it is noted the team has put in a good faith effort in
analyzing the feasibility of backporting relevant patches to Bullseye,
and classifying the urgency of such effort. My read of this so far is
that it's a debug mode only exposure, normally disabled in production
(by default).

With that said, for those environment who are using Bullseye, outside of
the amount of changes required for the backport, is there any technical 'gotchas' or further advice the team could provide for those who are considering a self-maintain of relevant patches from bookworm / sid into Bullseye while the discussion continues on this?

Thanks!

- Chris Peñalver

christopher.m.penalver@gmail.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-08-26 at 05:02 -0400, Chris Penalver wrote:

Hi Debian Security Team,

I am inquiring on Debian Bullseye as it relates to:

https://security-tracker.debian.org/tracker/CVE-2019-8457

Specifically, it is noted the team has put in a good faith effort in analyzing the feasibility of backporting relevant patches to
Bullseye, and classifying the urgency of such effort. My read of this
so far is that it's a debug mode only exposure, normally disabled in production (by default).

No. My reading of Ola mail [1] is that the function is not called at
all in the package. So, unless you recompiled the affected package
ading a call to sqlite3_rtree_init you are not affected, even if the
vulnerable code is there as dead code.

With that said, for those environment who are using Bullseye, outside
of the amount of changes required for the backport, is there any
technical 'gotchas' or further advice the team could provide for
those who are considering a self-maintain of relevant patches from
bookworm / sid into Bullseye while the discussion continues on this?

The bug in db5.3 was fixed in 5.3.28+dfsg1-0.9 [2] with patch [3] over
the same version which is present in bullseye:

bullseye is in db5.3 5.3.28+dfsg1-0.8
bookworm is in db5.3 5.3.28+dfsg1-0.10

The latest is not suitable due to the changes in -0.10 but I think 5.3. 28+dfsg1-0.9 can go to bullseye, or at least on the 11.6 point release
(I think it may already be too late for 11.5, scheduled for
Sep 11th)

It's arguable if one should provide a security update for an issue on a function which is never-called, but in that case I think CVE-2019-8457
should have been marked as non-affected instead of vulnerable (and as
Jonas pointed out the *source* package *is* vulnerable)

Anyway, I wouldn't complicate with the schrödingerness of the
vulnerability and just ship a fixed package with the available patch, equivalent to -0.9. Worst case, a patch changing a dead function is not
going to break anything, and the vulnerability can be safely declared
as fixed in bullseye, for everybody's peace of mind (you are not the
only one who would be interested in a backport, see #1010974).

I'm not sure who would be uploading it, though. Probably Ondrej
(although the Debian Berkeley DB packages have been put for adoption) o
r someone else from the security team. Should be simple enough, but
still needs someone to do it.


Regards


1- https://lists.debian.org/debian-lts/2019/06/msg00036.html
2- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010974
3- https://sources.debian.org/patches/db5.3/5.3.28+dfsg1-0.10/CVE-2019-8457.patch/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)