classification
Title: Update SQLite to 3.30 in Windows and macOS installer builds
Type: Stage: needs patch
Components: Build, macOS, Windows Versions: Python 3.9, Python 3.8, Python 3.7, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Big Stone, erlendaasland, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2019-10-05 22:12 by Big Stone, last changed 2019-10-09 21:53 by erlendaasland.

Files
File name Uploaded Description Edit
0001-bpo-38380-Update-macOS-installer-to-use-SQLite-3.30..patch erlendaasland, 2019-10-09 15:24 bpo-38380: Update macOS installer to use SQLite 3.30.0
0002-bpo-38380-Update-Windows-builds-to-use-SQLite-3.30.0.patch erlendaasland, 2019-10-09 15:25 bpo-38380: Update Windows builds to use SQLite 3.30.0
Messages (7)
msg354023 - (view) Author: Big Stone (Big Stone) Date: 2019-10-05 22:12
there is a security fix in sqlite-3.30

https://nvd.nist.gov/vuln/detail/CVE-2019-16168#VulnChangeHistorySection

https://www.sqlite.org/releaselog/3_30_0.html
msg354025 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-10-05 22:35
I verified it is exploitable via the sqlite3 module by adapting the test case from the SQLite ticket (https://www.sqlite.org/src/info/e4598ecbdd18bd82).  But since it requires the exploiter to be able to specify raw SQL statements, it doesn't sound like it needs to be treated as a Python security issue.  We should plan to to update to the latest SQLite but it doesn't need to be a release blocker.
msg354280 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2019-10-09 15:22
I've prepared a PR for https://github.com/python/cpython-source-deps at https://github.com/erlend-aasland/cpython-source-deps/tree/upgrade-sqlite. 

Patches for Windows and macOS installer builds on 3.9 prepared at https://github.com/erlend-aasland/cpython/tree/fix-issue-38380.

If it looks ok, I'll create PR's for CPython and cpython-source-deps. I guess this should be backported to 3.8, 3.7 and 2.7.
msg354281 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2019-10-09 15:24
bpo-38380: Update macOS installer to use SQLite 3.30.0
https://github.com/erlend-aasland/cpython/commit/aa7d7b1a3bed9a6a73f0611d0542a3442e85b0b6
msg354282 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2019-10-09 15:25
bpo-38380: Update Windows builds to use SQLite 3.30.0
https://github.com/erlend-aasland/cpython/commit/e25214e6fa7a64353d9c3e16b139c41f5d62eb31
msg354284 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2019-10-09 15:56
FYI: Compiled cpython 3.9 with sqlite-3.30 on macOS 10.14.6. Make test completes without errors.
msg354300 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2019-10-09 21:53
Update: Tested on macOS 10.14.6 with make test on 2.7.17rc1, 3.7.5rc1+, 3.8.0rc1+.
History
Date User Action Args
2019-10-09 21:53:22erlendaaslandsetmessages: + msg354300
2019-10-09 15:56:36erlendaaslandsetmessages: + msg354284
2019-10-09 15:25:42erlendaaslandsetfiles: + 0002-bpo-38380-Update-Windows-builds-to-use-SQLite-3.30.0.patch

messages: + msg354282
2019-10-09 15:24:50erlendaaslandsetfiles: + 0001-bpo-38380-Update-macOS-installer-to-use-SQLite-3.30..patch
keywords: + patch
messages: + msg354281
2019-10-09 15:22:43erlendaaslandsetnosy: + erlendaasland
messages: + msg354280
2019-10-05 22:35:11ned.deilysetversions: + Python 2.7, Python 3.7, Python 3.8, Python 3.9
nosy: + ned.deily, paul.moore, tim.golden, steve.dower, zach.ware, ronaldoussoren

messages: + msg354025

components: + Build, macOS, Windows
stage: needs patch
2019-10-05 22:12:20Big Stonecreate