Source: sqlite3 Version: 3.8.7.1-1 Severity: important Tags: upstream security patch
Hi, the following vulnerability was published for sqlite3. CVE-2017-10989[0]: | The getNodeSize function in ext/rtree/rtree.c in SQLite before 3.11.0, | as used in GDAL and other products, mishandles undersized RTree blobs | in a crafted database, leading to a heap-based buffer over-read or | possibly unspecified other impact. Even the above description mentions "before 3.11.0" (and actually would be 3.17.0) the issue is still present in later versions, it's hidden, as explained in [1]. There is a patch at [2]. So it might be as well be applied to newer versions (and it's basically already queued upstream as well, with the referenced commit). ,---- [ make test ] | ... | ! rtreeA-7.110 expected: [1 {undersize RTree blobs in "t1_node"}] | ! rtreeA-7.110 got: [1 {database disk image is malformed}] | Time: rtreeA.test 56 ms | ... `---- (unrelated, speaking of testsuite, would be great if #339368 could be made working in Debian and maybe having autopkgtest smoke-tests running the upstream testsuite, but not sure how feasible this is). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10989 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989 [1] https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/comments/7 [2] https://sqlite.org/src/info/66de6f4a Regards, Salvatore