Thanks a lot for the prompt response, As far as I found in Fossil repository fixes for all CVE's , excepting erroneously submitted CVE-2019-19646, were merged to Fossil. Can you please estimate next official release of SQLite including these fixes?
Regards, Alex -----Original Message----- From: drhsql...@gmail.com <drhsql...@gmail.com> On Behalf Of Richard Hipp Sent: Tuesday, December 24, 2019 6:31 PM To: SQLite mailing list <sqlite-users@mailinglists.sqlite.org> Cc: Raitses, Alex <alex.rait...@intel.com> Subject: Re: [sqlite] CVE's opened on 3.30.1 status On 12/24/19, Raitses, Alex <alex.rait...@intel.com> wrote: > Hi, > Can you please update on status of the following CVE’s submitted on 3.30.1? > CVE’s link to patches references GitHub branch, however I could find > corresponding submits to Fossil repository. > CVE’s list: > https://nvd.nist.gov/vuln/detail/CVE-2019-19244 > https://nvd.nist.gov/vuln/detail/CVE-2019-19603 > https://nvd.nist.gov/vuln/detail/CVE-2019-19242 > https://nvd.nist.gov/vuln/detail/CVE-2019-19646 > https://nvd.nist.gov/vuln/detail/CVE-2019-19645 None of these CVEs describe actual vulnerabilities, at least not for the typical use-case for SQLite. If you have an unusual application in which you allow unauthenticated users to submit arbitrary SQL to your application, then four of these CVEs describe a denial-of-service opportunity to an attacker. In other words, an attacker who can present arbitrary SQL queries (and DDL statements) to the application can cause the application to crash. Not many applications fall into that category, though. The only application that I know of that does this is the Chrome web-browser. How does your application use SQLite? Do you allow anonymous attackers to present arbitrary SQL to your application? If not, then none of this applies to you. The CVE-2019-19646 describes a bug in a new feature of SQLite that has not yet been released. CVE-2019-19646 was apparently submitted in error. Unfortunately, we do not know of any mechanism to correct erroneous CVEs. Do you? All of the problems described by the CVEs you list have been fixed. In fact, most of the CVEs you list point to the check-in that fixes the problem, in a GitHub mirror of the SQLite repository. The SQLite developers do not issue or track CVEs. CVEs against SQLite are issued by third-parties, typically third-parties who are running fuzzers against the SQLite, and usually without the consultation or approval of the SQLite developers. -- D. Richard Hipp d...@sqlite.org --------------------------------------------------------------------- Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
