On 12/24/19, Raitses, Alex <alex.rait...@intel.com> wrote: > Hi, > Can you please update on status of the following CVE’s submitted on 3.30.1? > CVE’s link to patches references GitHub branch, however I could find > corresponding submits to Fossil repository. > CVE’s list: > https://nvd.nist.gov/vuln/detail/CVE-2019-19244 > https://nvd.nist.gov/vuln/detail/CVE-2019-19603 > https://nvd.nist.gov/vuln/detail/CVE-2019-19242 > https://nvd.nist.gov/vuln/detail/CVE-2019-19646 > https://nvd.nist.gov/vuln/detail/CVE-2019-19645
None of these CVEs describe actual vulnerabilities, at least not for the typical use-case for SQLite. If you have an unusual application in which you allow unauthenticated users to submit arbitrary SQL to your application, then four of these CVEs describe a denial-of-service opportunity to an attacker. In other words, an attacker who can present arbitrary SQL queries (and DDL statements) to the application can cause the application to crash. Not many applications fall into that category, though. The only application that I know of that does this is the Chrome web-browser. How does your application use SQLite? Do you allow anonymous attackers to present arbitrary SQL to your application? If not, then none of this applies to you. The CVE-2019-19646 describes a bug in a new feature of SQLite that has not yet been released. CVE-2019-19646 was apparently submitted in error. Unfortunately, we do not know of any mechanism to correct erroneous CVEs. Do you? All of the problems described by the CVEs you list have been fixed. In fact, most of the CVEs you list point to the check-in that fixes the problem, in a GitHub mirror of the SQLite repository. The SQLite developers do not issue or track CVEs. CVEs against SQLite are issued by third-parties, typically third-parties who are running fuzzers against the SQLite, and usually without the consultation or approval of the SQLite developers. -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
