On Thu, 16 May 2019 20:09:52 +0200 =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= <g...@debian.org> wrote: > Hi, > > On Thu, May 16, 2019 at 11:57 AM Pirate Praveen > <prav...@onenetbeyond.org> wrote: > > On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso > > <car...@debian.org> wrote: > > > Source: sqlite3 > > > The following vulnerability was published for sqlite3. > > > CVE-2019-5018[0]: > > > Window Function Remote Code Execution Vulnerability > > Could this be that commit? I have not checked thoroughly only looked at > > the commit message. > > > > "Prevent aliases of window functions expressions from being used as > > arguments to aggregate or other window functions." > > > > https://sqlite.org/src/info/1e16d3e8fc60d39c > Can be, but not sure. At least four sqlite 3.x issues reported > recently and as I know, usually upstream is not informed about these. > :-/ > > > > [1] > > > https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777 > > Regards, > Laszlo/GCS > >
According to the TALOS link from the initial mail, TALOS informed the vendor and the vendor provided on the same day as that commit. """ Timeline 2019-02-05 - Vendor Disclosure 2019-03-07 - 30 day follow up with vendor; awaiting moderator approval 2019-03-28 - Vendor patched 2019-05-09 - Public Release """ So this implies that there is a patch and it would be dated no later than 2019-03-28 (caveat emptor: Time zones). It *might* be fixed in 3.28 (TALOS does not mention it as vulnerable), but the changelog does not mention this explicit[1]. Alternatively, it could be related to: https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959 This was released as a part of 3.27.2 and looks like it has the right text as well. What concerns me is that the ticket[0] is almost a week before TALOS's timeline for "Vendor patched" plus it mentioned "free that has not been malloc'ed" rather than "use after free". That said, the test case examples for both issue are similar. Thanks, ~Niels [0] Related and correct commit appears to be: https://www.sqlite.org/src/info/a21ffcd8176672e7 (Based on https://www.sqlite.org/src/info/579b66eaa0816561) [1] https://www.sqlite.org/draft/changes.html