CVE-2021-36690: Segmentation fault vulnerability in SQLite sqlite3 3.36.0 via the idxGetTableInfo function, in which a crafted SQL query can cause a denial of service Seems there's a patch: https://sqlite.org/src/info/b1e0c22ec981cf5f
Patch applied in upstream (as linked - https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, as far as I can see no vulnerable versions left in tree.
(In reply to 9ts641j2 from comment #1) > Patch applied in upstream (as linked - > https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, When? What version? > as far as I can see no vulnerable versions left in tree.
Patch was merged 2021-07-08 12:12:39 in commit fdcd3bd969351c4e860a1368a6ab64bc4c94d2d89396805b28853a514d06fd92 into branch "trunk". Oldest version in tree is 3.38.2, published 2022-03-26 (https://sqlite.org/src/timeline?t=version-3.38.2) while the latest version 3.39.1 was published 2022-07-13 (https://sqlite.org/src/timeline?t=version-3.39.1). The fix should have been live for about a year now.
Seems it's actually been in since 3.37.0: https://github.com/sqlite/sqlite/commit/77ea22300b5bcc0961be5c2578a262d91917cf1f (sorry, no idea how to use fossil) Seems to be near impossible to exploit without control of the database anyway, so no GLSA. All done!