Control: tags -1 confirmed moreinfo László Böszörményi (GCS): > Package: release.debian.org > User: [email protected] > Usertags: unblock > > Hi Release Team, > > I would like to upload a security related update for sqlite3. It contains: > - Prevent a possible NULL pointer dereference in the OP_Found opcode > that can follow an OOM error. Problem found by OSS-Fuzz[1], > - Stack overflow while parsing deeply nested JSON[2], > - JSON allows unescaped control characters in strings[3], > - JSON extension accepts invalid numeric values[4]. > > Upstream tagged these as 'code defect' and severity 'severe'. The > changes itself are small and the 3.19.2-1 version in experimental > contains these fixes. > > Debdiff is attached. Thanks for consideration. > > Regards, > Laszlo/GCS > [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0 > [2] https://www.sqlite.org/src/info/981329adeef51011052 > [3] https://www.sqlite.org/src/info/6c9b5514077fed34551 > [4] https://www.sqlite.org/src/info/b93be8729a895a528e2 >
Ack, please go ahead. Given the deadlines for migration, ideally this upload is completed no later than Monday. Thanks, ~Niels
