Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 955819 - <dev-db/sqlite-3.49.2: Crash via malicious CREATE TABLE statements
Summary: <dev-db/sqlite-3.49.2: Crash via malicious CREATE TABLE statements
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: C3 [stable]
Keywords:
Depends on: 957115
Blocks:
  Show dependency tree
 
Reported: 2025-05-11 04:15 UTC by Sam James
Modified: 2025-06-08 07:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-11 04:15:28 UTC 
"""
Patch release 3.49.2 is now available on the SQLite website

  *   https://sqlite.org/ [1]
  *   https://sqlite.org/releaselog/3_49_2.html [2]

This patch fixes a mistake in an optimization in version 3.40.0.  An
attacker that is able to run arbitrary CREATE TABLE statements can
exploit this bug to cause a read past the end of a static array,
resulting in a crash.

The next major release, 3.50.0, is due out it just over three weeks
and contains the same fix along with many other improvements.
Depending on your situation, you might want to wait until 3.50.0 is
available and update then.  The latest trunk check-ins are stable and
suitable for use.  The SQLite website is itself running on the latest
trunk check-in of SQLite.  If you are able, please consider upgrading
to a recent trunk check-in or the prerelease snapshot on the download
page (https://sqlite.org/download.html [3]) instead of the 3.49.2 patch.
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-11 04:17:48 UTC 
Per https://sqlite.org/releaselog/3_49_2.html, there's some other fixes we may as well pick up with the bump:
"""
Changes in this specific patch release, version 3.49.2 (2025-05-07):

    Fix a bug in the NOT NULL optimization of version 3.40.0 (item 3c in the version 3.40.0 change log) that can lead to a memory error if abused.
    Fix the count-of-view optimization so that it does not give an incorrect answer for a DISTINCT query.
    Fix a possible incorrect answer that can result if a UNIQUE constraint of a table contains the PRIMARY KEY column and that UNIQUE constraint is used by an IN operator.
    Fix obscure problems with the generate_series() extension function.
    Incremental improvements to the configure/make.
"""

Doing that now.
Comment 2 Larry the Git Cow gentoo-dev 2025-05-11 04:34:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6b89770e6a5a56ac74c96d21e66080ed4a81655

commit e6b89770e6a5a56ac74c96d21e66080ed4a81655
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-05-11 04:33:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-05-11 04:34:09 +0000

    dev-db/sqlite: add 3.49.2
    
    Bug: https://bugs.gentoo.org/955819
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/sqlite/Manifest             |   2 +
 dev-db/sqlite/sqlite-3.49.2.ebuild | 446 +++++++++++++++++++++++++++++++++++++
 2 files changed, 448 insertions(+)