Marius Bakke <[email protected]> writes:
> Marius Bakke <[email protected]> writes: > >> Hello! >> >> There is allegedly a remote code execution bug in all versions of SQLite >> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>. >> >> I think it is safe to graft 3.26.0 in-place: >> >> $ abidiff >> /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so >> /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so >> Functions changes summary: 0 Removed, 0 Changed, 0 Added function >> >> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable >> >> Function symbols changes summary: 0 Removed, 1 Added function symbol not >> referenced by debug info >> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not >> referenced by debug info >> >> 1 Added function symbol not referenced by debug info: >> >> >> sqlite3_create_window_function >> >> ...but I have not tested this. It's difficult to tell which patches to >> apply without knowing more details of the vulnerability. >> >> I am currently building a branch that adds a "static" output for >> SQLite in order to catch users of libsqlite3.a. Can we start this on >> Berlin concurrently? Patches attached. > > Perhaps it's better to start over 'staging' with the new SQLite in the > mean time? Hydra didn't get too far yet. > > It does not add a lot to the current rebuild count. Sounds good to me. Thank you! -- Ricardo
