Source: sqlite3 Version: 3.8.7.4-1 Severity: important Tags: security upstream fixed-upstream
Hi, the following vulnerabilities were published for sqlite3. CVE-2015-3414[0]: | SQLite before 3.8.9 does not properly implement the dequoting of | collation-sequence names, which allows context-dependent attackers to | cause a denial of service (uninitialized memory access and application | crash) or possibly have unspecified other impact via a crafted COLLATE | clause, as demonstrated by COLLATE"""""""" at the end of a SELECT | statement. CVE-2015-3415[1]: | The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not | properly implement comparison operators, which allows | context-dependent attackers to cause a denial of service (invalid free | operation) or possibly have unspecified other impact via a crafted | CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE | statement. CVE-2015-3416[2]: | The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does | not properly handle precision and width values during floating-point | conversions, which allows context-dependent attackers to cause a | denial of service (integer overflow and stack-based buffer overflow) | or possibly have unspecified other impact via large integers in a | crafted printf function call in a SELECT statement. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-3414 [1] https://security-tracker.debian.org/tracker/CVE-2015-3415 [2] https://security-tracker.debian.org/tracker/CVE-2015-3416 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org