Control: found -1 3.44.0-1 Control: fixed -1 3.49.1 Control: forwarded -1 https://sqlite.org/src/info/498e3f1cf57f164f Control: tags -1 +patch +fixed-upstream
Hi, On Tue, Apr 8, 2025 at 9:51 PM Salvatore Bonaccorso <[email protected]> wrote: > The following vulnerability was published for sqlite3. > > CVE-2025-29087[0]: > | Sqlite 3.49.0 is susceptible to integer overflow through the concat > | function. This is zero information. :( I add what I know from upstream. This bug is introduced in upstream version 3.44.0 (doesn't affect our stable releases as those are older ones). The actual vulnerability is in the concat_ws() function, which can cause a memory error if the separator string is very large (hundreds of megabytes). The fix is already in place and a small one. I plan to upload it tomorrow afternoon. Hope this helps, Laszlo/GCS
