Your message dated Fri, 22 Mar 2019 16:34:23 +0000
with message-id <[email protected]>
and subject line Bug#925289: fixed in sqlite3 3.27.2-2
has caused the Debian Bug report #925289,
regarding sqlite3: CVE-2019-9936
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
925289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925289
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sqlite3
Version: 3.27.2-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for sqlite3.
CVE-2019-9936[0]:
| In SQLite 3.27.2, running fts5 prefix queries inside a transaction
| could trigger a heap-based buffer over-read in fts5HashEntrySort in
| sqlite3.c, which may lead to an information leak. This is related to
| ext/fts5/fts5_hash.c.
Issue can be verified with an ASAN build of sqlite3 and the provided
POC.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936
[1] https://sqlite.org/src/info/b3fa58dd7403dbd4
[2]
https://www.mail-archive.com/[email protected]/msg114382.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sqlite3
Source-Version: 3.27.2-2
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Mar 2019 17:46:39 +0000
Source: sqlite3
Architecture: source
Version: 3.27.2-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 925289 925290
Changes:
sqlite3 (3.27.2-2) unstable; urgency=high
.
* Backport security related patches:
- use unsigned integers to count the number of pages in a freelist
during an integrity_check, to avoid any possibility of a signed integer
overflow,
- fix a crash that could occur if the RHS of an IN expression is a
correlated sub-query that refers to the outer query from within a
window frame definition only,
- ensure that ALTER TABLE commands open statement transactions,
- CVE-2019-9937: fix an fts5 problem with interleaving reads and writes
in a single transaction (closes: #925290),
- CVE-2019-9936: fix a buffer overread that could occur when running fts5
prefix queries inside a transaction (closes: #925289).
Checksums-Sha1:
acfb8928116981d5c05d4e5100ab5edadfe5296b 2398 sqlite3_3.27.2-2.dsc
b8f511833e7d2d606877225cc4932abf9d67887d 23192 sqlite3_3.27.2-2.debian.tar.xz
cf6504091ebf3bd94bd267d371e9faac885597a5 9070 sqlite3_3.27.2-2_amd64.buildinfo
Checksums-Sha256:
ee9a1932a6fda86403d7a67ed825036a37a79e16200eb7435e664c2325ae2435 2398
sqlite3_3.27.2-2.dsc
547a96eaf1609460f25a163fdb1724320586a2a1ce5df2abae846ba59dea8b0f 23192
sqlite3_3.27.2-2.debian.tar.xz
430dfcfea65fdedbdb31c3034dede4111a4b547263ed536f3c20778d31c76ac0 9070
sqlite3_3.27.2-2_amd64.buildinfo
Files:
46039e9cb7b61e24358e541fd68291c8 2398 devel optional sqlite3_3.27.2-2.dsc
dcd0c03d6d25e79e0c51528332c4a6fa 23192 devel optional
sqlite3_3.27.2-2.debian.tar.xz
b2385aa195c211dafed2f5d1ac51a394 9070 devel optional
sqlite3_3.27.2-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlyVCTIACgkQ3OMQ54ZM
yL9JFQ/+Jq6xceFvG2+uq2JTdOfpz8dC6zmeaHJXDTVGOYPodtWlbgwtc1wBBsAT
5klgyyTbUncA5rGK0lUoYcxNsh8l9vnHw0CECCSY/gwadHo+hslM7k59kdr75ylA
8HIfS3Mk2QYjXf7UCcM8BvkMa0mx2wDiM25tixLnSgh2PwnkGnb5RbV36UZ6FlcU
26TFUe7Mf3kkk1kMoqGOpETj+wQEfc30Uf4QDfxHJna4Lw9sGfA9YlFVDoE5Ot5f
ogVm74vaClf/W0yjQI+i4lZ3oe+gdNqulcv2kRz65RQdt8lHLgqSRL0BnTtK8Kdz
ujoe6S+29xlRhZzAWO76AHtJebZePbO3V1DThpjrk5eB24kZB3/0EoMgFKzGKmiU
ZU5CGOdHW4GFHzjDXwRp6/WC7BiKmLjjMqxPn7nO+zuCIzN61fiPCCkuh1AIAQr3
vd7NbNM+XkCF6i0dnJDkAG6YNHb2egM9EED33hBXcVN9y/DRB07LU+e4C5cPQXJm
2BKd8PlwB2g50w2HB3shHjWehAu2VsPidW8yleLGksvwVImSI3yO8CDwUl2TwBDL
XmZNVK7pbtiS5271/EVOJH+MVTDgVMITzkLp/HvHC5iPZyJbGPIqdx3N5IaVl5cC
F6onTwYVdRhhMePBiejh7v0CycRhF4vA89MNcjDxAI49bEVuu0c=
=72le
-----END PGP SIGNATURE-----
--- End Message ---
