Summary: | <dev-db/sqlite-3.8.3.1: array overrun in the skip-scan optimization leading to memory corruption (DoS) (CVE-2013-7443) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | arfrever.fta, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1243476 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=605688 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-07-16 07:38:41 UTC
(In reply to Agostino Sarubbo from comment #0) > Upstream fix: > https://www.sqlite.org/src/info/ac5852d6403c9c96 So it was fixed in 2013-12-23 and fix was released in SQLite 3.8.3 on 2014-02-03 (http://sqlite.org/releaselog/3_8_3.html). I leave closing of this bug to security team... @security: The first fixed stable version is 3.8.3.1: 11 Mar 2014; Jeroen Roovers <jer@gentoo.org> sqlite-3.8.3.1.ebuild: Stable for HPPA (bug #504218). The vulnerable version was removed on: 18 Nov 2014; Mike Gilbert <floppym@gentoo.org> -sqlite-3.8.2.ebuild, I don't know it if qualifies for a glsa or is just too old and we can close directly (In reply to Agostino Sarubbo from comment #2) > @security: > > > > I don't know it if qualifies for a glsa or is just too old and we can close > directly Closing without specific GLSA as this version is covered by https://security.gentoo.org/glsa/201507-05: Affected versions < 3.8.9 Unaffected versions >= 3.8.9 CVE-2013-7443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7443): Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements. |