Ubuntu
libdbd-sqlite3-perl package

[MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)

Bug #2029379 reported by Miriam España Acebal on 2023-08-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libdbd-sqlite3-perl (Ubuntu)	In Progress	Undecided	Unassigned

Bug Description

[Availability]
The package libdbd-sqlite3-perl is already in Ubuntu universe.
The package libdbd-sqlite3-perl build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/libdbd-sqlite3-perl

[Rationale]
The package libdbd-sqlite3-perl is required in Ubuntu main for libmail-dmarc-perl.
The package libdbd-sqlite3-perl will not generally be useful for
a large part of our user base, but is important/helpful still
because libmail-dmarc-perl requires it as a runtime dependency
( libmail-dmarc-perl is in the MIR process here: https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 )

The package libdbd-sqlite3-perl is required in Ubuntu main through the same scheduled requested
for the libmail-dmarc-perl promotion, since libmail-dmarc-perl depends on it.

[Security]
No CVEs/security issues in this software in the past.
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Package does not open privileged ports (ports < 1024).
Package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...).

[Quality assurance - function/usage]
The package works well right after install.

[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu/Upstream and does
not have critical/long term open bugs in Ubunto nor in Debian:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libdbd-sqlite3-perl

The package has no important open bugs on upstream: https://github.com/DBD-SQLite/DBD-SQLite/issues
The package does not deal with exotic hardware we cannot support.

[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/636252037/buildlog_ubuntu-lunar-amd64.libdbd-sqlite3-perl_1.72-1_BUILDING.txt.gz :
dh_auto_test
make -j4 test TEST_VERBOSE=1

The package runs an autopkgtest (via autodep8 using 'Testsuite: autopkgtest-pkg-perl' in d/control file ), which essentially runs the above build-time test suite. It is currently passing on
this list of architectures (amd64, arm64, armhf, ppc64el, riscv64, s390x), except on i386: https://autopkgtest.ubuntu.com/packages/l/libdbd-sqlite3-perl

The package does have failing autopkgtests tests right now, but since
they always failed they are handled as "ignored failure", this is
because the package the test depends on pkg-perl-tools package that is not
build for i386 since focal.

[Quality assurance - packaging]

debian/watch is present and works.

debian/control defines a correct Maintainer field : Debian Perl Group <email address hidden>

This package does not yield massive lintian Warnings, Errors
  - recent build log of the package: https://launchpadlibrarian.net/636252037/buildlog_ubuntu-lunar-amd64.libdbd-sqlite3-perl_1.72-1_BUILDING.txt.gz
  - full output from `lintian --pedantic` :
    ❯ lintian -EvIL +pedantic --show-overrides ../libdbd-sqlite3-perl_1.72-1.dsc
      W: libdbd-sqlite3-perl source: newer-standards-version 4.6.1 (current is 4.6.0.1)
      X: libdbd-sqlite3-perl source: debian-watch-does-not-check-gpg-signature [debian/watch]
      P: libdbd-sqlite3-perl source: very-long-line-length-in-source-file lib/DBD/SQLite/Constants.pm line 724 is 583 characters long (>512)
  - Lintian overrides are not present.

This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.

The package will not be installed by default.

Packaging and build is easy, link to debian/rules : https://git.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/tree/debian/rules

[UI standards]
Application is not end-user facing (does not need translation).

[Dependencies]
No further depends or recommends dependencies that are not yet in main.

[Standards compliance]
This package correctly follows FHS and Debian Policy (4.6.1).

[Maintenance/Owner]
Owning Team will be Ubuntu Server Team.
Team is not yet, but will subscribe to the package before promotion.

This does not use static builds.

Vendored code present is the source code for SQLITE (https://sqlite.org/download.html)
The Ubuntu Server Team is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).

This package is not rust based

The package successfully built during the most recent test rebuild: https://launchpad.net/ubuntu/+archive/test-rebuild-20230515-lunar-v3/+build/26135153

[Background information]
The Package description explains the package well.
Upstream Name is DBD-SQLite.
Link to upstream project https://metacpan.org/dist/DBD-SQLite

This existed in main in 2013 (Trusty), but was subsequently demoted. Its original promotion was via LP: #196145.

See original description

Tags:

CVE References

2022-46908

Miriam España Acebal (mirespace) on 2023-08-02

description:	updated
description:	updated

Miriam España Acebal (mirespace) on 2023-08-04

description:

updated

Miriam España Acebal (mirespace) on 2023-08-04

description:

updated

Miriam España Acebal (mirespace) on 2023-08-07

description:

updated

Miriam España Acebal (mirespace) on 2023-08-09

description:

updated

Miriam España Acebal (mirespace) on 2023-08-09

description:

updated

Miriam España Acebal (mirespace) on 2023-08-09

summary:	- [MIR] promote libdbd-sqlite3-perl as a libmail-dmarc-perl dependency + [MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)
summary:	- [MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency) + [MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)

Christian Ehrhardt  (paelzer) on 2023-08-16

Changed in libdbd-sqlite3-perl (Ubuntu):
assignee:	Miriam España Acebal (mirespace) → nobody

Christian Ehrhardt  (paelzer) on 2023-08-22

Changed in libdbd-sqlite3-perl (Ubuntu):
assignee:	nobody → Ioanna Alifieraki (joalif)

Revision history for this message

Ioanna Alifieraki (joalif) wrote on 2023-09-05:

Download full text (3.9 KiB)

Review for Source Package: libdbd-sqlite3-perl

[Summary]
MIR team ACK.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libdbd-sqlite3-perl
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
The package looks ok apart from the vendored code and CVE-2022-46908.

Regarding the vendored code (sqlite3) Ubuntu Server is aware of its implications and
commits to provide updates and backports to the security team for the lifetiem of
the release (as per bug Description).
That said, we're godd on that front.

There's a CVE open in the upstream issues (https://github.com/DBD-SQLite/DBD-SQLite/issues/108),
therefore I suggest a security review.
Upstream is working on the next version (1.73) but is not yet stable (expected in mid September 2023),
which is supposed to take care of the CVE.

Required TODOs:
- The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.
This package is required in main as a dependency of libmail-dmarc-perl.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - libdbd-sqlite3-perl checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
TODO: - no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems:
- embedded source present
- vendored code included

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- CVE-2022-46908 : https://github.com/DBD-SQLite/DBD-SQLite/issues/108

[Common blockers]
OK:
- does not FTBFS currently
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

Problems: None

Review for Source Package: libdbd-sqlite3-perl

Notes:
The package looks ok apart from the vendored code and CVE-2022-46908.

Regarding the vendored code (sqlite3) Ubuntu Server is aware of its implications and
commits to provide updates and backports to the security team for the lifetiem of 
the release (as per bug Description).
That said, we're godd on that front.

Required TODOs:
- The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.
This package is required in main as a dependency of libmail-dmarc-perl.

Problems: None

Problems:
- embedded source present
- vendored code included

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
   xml, json, asn.1], network packets, structures, ...) from
   an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- CVE-2022-46908  : https://github.com/DBD-SQLite/DBD-SQLite/issues/108

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- the current release is packaged
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is (good/slow/sporadic)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]

OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

Changed in libdbd-sqlite3-perl (Ubuntu):
assignee:	Ioanna Alifieraki (joalif) → nobody
assignee:	nobody → Ubuntu Security Team (ubuntu-security)

Steve Beattie (sbeattie) on 2023-10-15

tags:

added: sec-2906

Revision history for this message

George-Andrei Iosif (iosifache) wrote on 2024-01-25:

Download full text (6.4 KiB)

I reviewed `libdbd-sqlite3-perl` `1.72-1` as checked into mantic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability. As the module is highly stateful, it was not tested with
fuzzing.

`libdbd-sqlite3-perl` is a DBI driver for an SQLite instance. The upstream code
is available on GitHub at https://github.com/DBD-SQLite/DBD-SQLite.

The main interface of the package is the DBI driver (dbi.perl.org). A user
should use the DBI API to connect to the database and perform CRUD operations.
Besides the DBI API, the package provides methods that can be leveraged to
implement custom functions registered in the SQL syntax. Please see the
MetaCPAN (metacpan.org/release/ISHIGAKI/DBD-SQLite-1.74) page for a full list
of the modules and their methods.

- CVE History
  - There is no CVE assigned to this package.
  - Despite this fact, the upstream (and its CPAN package) is prone to
transitive dependencies from SQLite. This doesn't affect the packages provided
by Debian and Ubuntu because the control file of the package requires
`libsqlite3-dev` and a Quilt patch is applied to enable the use of it instead
of the SQLite amalgamation (www.sqlite.org/amalgamation.html).
    - Files of the SQLite amalgamation are vendored in the Perl module:
      - `sqlite3.h`;
      - `sqlite3.c`;
      - `sqlite3ext.h`;
      - `fts3_tokenizer.h`; and
      - `dbdimp_tokenizer.inc` (SQLite's `fts3_tokenizer1.c`).
    - The SQLite vulnerabilities are fixed by only upgrading the vendored
SQLite file, without any backporting to previous versions. The updates are
either created ad-hoc by the maintainer or as a response to GitHub issues
opened by the users. Below is a list of relevant issues and their corresponding
creation years:
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/12 (2015);
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/108 (2023); and
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/103 (2022).
  - The same happens for the Ppport header (`ppport.h`), which "attempts to
bring some of the newer Perl API features to older versions of Perl" (from
https://docstore.mik.ua/orelly/perl4/perlnut/ch08_54.htm_).
    - The header itself should be generated at build time by the package or, at
least, updated regularly. Based on the Git history, the latter was a practice
for the DBD-SQLite maintainers around 2009-2010.
  - Other vulnerabilities in the code of the module, which received no CVE, are:
    - Buffer overflow: https://rt-cpan.github.io/Public/Bug/Display/73787
(2012); and
    - Integer overflow: https://rt-cpan.github.io/Public/Bug/Display/28785
(2007).
  - The maintainer is using his blog to announce updates in the module:
https://blogs.perl.org/mt/mt-cp.cgi?__mode=view&id=464.
- Build-Depends
  - Nothing raises security concerns.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - The package defines 117 tests in its `t/` and `xt/` folders, which
extensively test the codebase.
  - ...

I reviewed `libdbd-sqlite3-perl` `1.72-1` as checked into mantic. This 
shouldn't be considered a full audit but rather a quick gauge of 
maintainability. As the module is highly stateful, it was not tested with 
fuzzing.

`libdbd-sqlite3-perl` is a DBI driver for an SQLite instance. The upstream code 
is available on GitHub at https://github.com/DBD-SQLite/DBD-SQLite.

The main interface of the package is the DBI driver (dbi.perl.org). A user 
should use the DBI API to connect to the database and perform CRUD operations. 
Besides the DBI API, the package provides methods that can be leveraged to 
implement custom functions registered in the SQL syntax. Please see the 
MetaCPAN (metacpan.org/release/ISHIGAKI/DBD-SQLite-1.74) page for a full list 
of the modules and their methods.

- CVE History
  - There is no CVE assigned to this package.
  - Despite this fact, the upstream (and its CPAN package) is prone to 
transitive dependencies from SQLite. This doesn't affect the packages provided 
by Debian and Ubuntu because the control file of the package requires 
`libsqlite3-dev` and a Quilt patch is applied to enable the use of it instead 
of the SQLite amalgamation (www.sqlite.org/amalgamation.html).
    - Files of the SQLite amalgamation are vendored in the Perl module:
      - `sqlite3.h`;
      - `sqlite3.c`;
      - `sqlite3ext.h`;
      - `fts3_tokenizer.h`; and
      - `dbdimp_tokenizer.inc` (SQLite's `fts3_tokenizer1.c`).
    - The SQLite vulnerabilities are fixed by only upgrading the vendored 
SQLite file, without any backporting to previous versions. The updates are 
either created ad-hoc by the maintainer or as a response to GitHub issues 
opened by the users. Below is a list of relevant issues and their corresponding 
creation years:
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/12 (2015);
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/108 (2023); and
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/103 (2022).
  - The same happens for the Ppport header (`ppport.h`), which "attempts to 
bring some of the newer Perl API features to older versions of Perl" (from 
https://docstore.mik.ua/orelly/perl4/perlnut/ch08_54.htm_).
    - The header itself should be generated at build time by the package or, at 
least, updated regularly. Based on the Git history, the latter was a practice 
for the DBD-SQLite maintainers around 2009-2010.
  - Other vulnerabilities in the code of the module, which received no CVE, are:
    - Buffer overflow: https://rt-cpan.github.io/Public/Bug/Display/73787 
(2012); and
    - Integer overflow: https://rt-cpan.github.io/Public/Bug/Display/28785 
(2007).
  - The maintainer is using his blog to announce updates in the module: 
https://blogs.perl.org/mt/mt-cp.cgi?__mode=view&id=464.
- Build-Depends
  - Nothing raises security concerns.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - The package defines 117 tests in its `t/` and `xt/` folders, which 
extensively test the codebase.
  - The tests leverage a helper module for handling warnings in 
`inc/Test/FailWarnings.pm`.
- cron jobs
  - N/A
- Build logs
  - N/A

- Processes spawned
  - N/A
- Memory management
  - Operations with the memory are happening only through the SQLite API, via 
methods such as `sqlite3_malloc` and `sqlite3_free`. The module clears its 
memory before exiting a function.
- File IO
  - Operations with the file-base database are happening only through the 
SQLite API.
  - When the database is backed by the filesystem, files are securely opened in 
`lib/DBD/SQLite/VirtualTable/FileContent.pm` with the three-argument variant of 
`open`.
- Logging
  - The module uses the following functions for logging:
    - `sqlite_error`;
    - `sqlite3_result_error`; and
    - `warn`.
- Environment variable usage
  - N/A
- Use of privileged functions
  - N/A
- Use of cryptography / random number sources etc
  - Cryptographic functions (hashing and RC4 as a PRNG) are used in SQLite, but 
they were not reviewed because the vendored code is not enabled in Ubuntu.
- Use of temp files
  - The use of temporary files happens only in the SQLite database, but the 
behaviour is properly documented (www.sqlite.org/tempfiles.html) and its code 
is not enabled in Ubuntu.
- Use of networking
  - N/A as the SQLite database is only stored locally
- Use of WebKit
  - N/A
- Use of PolicyKit
  - N/A

- Any significant cppcheck results
  - Only false positives
- Any significant Coverity results
  - Coverity doesn't have support for Perl (as per Coverity's SAT-27514 ticket).
  - There are some NULL-terminated string warnings for the vendored SQLite, but 
these are out of scope because the vendored code is not enabled in Ubuntu.
  - For the C part of the codebase, only code quality warnings are generated.
- Any significant shellcheck results
  - N/A
- Any significant bandit results
  - N/A
- Any significant govulncheck results
  - N/A
- Any significant Semgrep results
  - Only false positives
- Any significant perlcritic results
  - An instance of a code injection was discovered in an API method exposed by 
one Perl module.
    - This method is also used by the SQL parser, but it was validated that it 
cannot be triggered from SQL queries.
    - The security impact is minimal and doesn't influence the MIR decision.
    - No further details will be provided here as the issue will be reported to 
the upstream.

After reviewing the codebase, it was concluded that the codebase is 
maintainable and doesn't have immediate security issues that may block the 
reviewing process.

The single security concern that arose during the review was the reporting of 
the security issues by the upstream. The project had no CVE, despite previous 
versions of the module (included in our active Ubuntu releases) being affected 
by vulnerabilities in its codebase. This lack of visibility affects all 
downstream developers, including Debian, and makes the users vulnerable.

The Security team proposes a conditional ACK for promoting 
`libdbd-sqlite3-perl` into main. The owning team (namely, the Ubuntu Server 
Team) needs to commit to the development and testing of security patches in all
Ubuntu releases if we lack upstream support. In addition, the same team should
ask for demoting the package if a more suitable package can be used as an
alternative for `libdbd-sqlite3-perl`.

Thanks!

George-Andrei Iosif (iosifache) on 2024-02-26

Changed in libdbd-sqlite3-perl (Ubuntu):
assignee:	Ubuntu Security Team (ubuntu-security) → nobody

Revision history for this message

Lukas Märdian (slyon) wrote on 2024-02-27:

This seems ready for promotion, except for the team subscription.

Changed in libdbd-sqlite3-perl (Ubuntu):
status:	New → In Progress

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2024-02-27:

FYI: subscription on libdbd-sqlite3-perl added
Fully ready to move

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-dbd-sqlite-dbd-sqlite #103
[closed] Edit
auto-github-dbd-sqlite-dbd-sqlite #108
[open] Edit
auto-github-dbd-sqlite-dbd-sqlite #12
[closed] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulibdbd-sqlite3-perl package

[MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
libdbd-sqlite3-perl package