Summary: | <dev-db/sqlite-3.37.0: null pointer dereference (CVE-2021-36690) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | arfrever.fta, base-system, floppym, jsmolic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.sqlite.org/forum/forumpost/718c0a8d17 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-08-24 16:36:53 UTC
Patch applied in upstream (as linked - https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, as far as I can see no vulnerable versions left in tree. (In reply to 9ts641j2 from comment #1) > Patch applied in upstream (as linked - > https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, When? What version? > as far as I can see no vulnerable versions left in tree. Patch was merged 2021-07-08 12:12:39 in commit fdcd3bd969351c4e860a1368a6ab64bc4c94d2d89396805b28853a514d06fd92 into branch "trunk". Oldest version in tree is 3.38.2, published 2022-03-26 (https://sqlite.org/src/timeline?t=version-3.38.2) while the latest version 3.39.1 was published 2022-07-13 (https://sqlite.org/src/timeline?t=version-3.39.1). The fix should have been live for about a year now. Seems it's actually been in since 3.37.0: https://github.com/sqlite/sqlite/commit/77ea22300b5bcc0961be5c2578a262d91917cf1f (sorry, no idea how to use fossil) Seems to be near impossible to exploit without control of the database anyway, so no GLSA. All done! |