| Summary: | <dev-db/sqlite-3.39.2: buffer overflow | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system, jsmolic, luke-jr+gentoobugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.sqlite.org/cves.html | ||
| Whiteboard: | A2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 862429 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-08-03 17:39:32 UTC
Now fully disclosed: https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ Is there any good way to search my system for embedded vulnerable copies of sqlite? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21415f7abf937d79f78908e89fdcada84ac88a3b commit 21415f7abf937d79f78908e89fdcada84ac88a3b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-28 19:40:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-28 19:49:58 +0000 dev-db/sqlite: drop 3.39.2, 3.39.3 Bug: https://bugs.gentoo.org/863431 Signed-off-by: Sam James <sam@gentoo.org> dev-db/sqlite/Manifest | 4 - dev-db/sqlite/sqlite-3.39.2.ebuild | 436 ------------------------------------- dev-db/sqlite/sqlite-3.39.3.ebuild | 436 ------------------------------------- 3 files changed, 876 deletions(-) GLSA request filed Has anyone looked into other packages potentially bundling with the vulnerability? (Seems like this should be addressed before a GLSA?) (In reply to Luke-Jr from comment #4) > Has anyone looked into other packages potentially bundling with the > vulnerability? (Seems like this should be addressed before a GLSA?) Please do look into it if you know other places it's bundled. No reason for it to block a GLSA. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b966ebfc6ef872316dabbe9fe102bd7f47faadb1 commit b966ebfc6ef872316dabbe9fe102bd7f47faadb1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:24:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:25:51 +0000 [ GLSA 202210-40 ] SQLite: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/777990 Bug: https://bugs.gentoo.org/863431 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-40.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) GLSA released, all done! (In reply to John Helmert III from comment #5) > (In reply to Luke-Jr from comment #4) > > Has anyone looked into other packages potentially bundling with the > > vulnerability? (Seems like this should be addressed before a GLSA?) > > Please do look into it if you know other places it's bundled. > > No reason for it to block a GLSA. My thought is that until this is done, it's unknown what packages need to be bumped to secure against the vulnerability. Can't advise users to do the unknown... (In reply to Luke-Jr from comment #8) > (In reply to John Helmert III from comment #5) > > (In reply to Luke-Jr from comment #4) > > > Has anyone looked into other packages potentially bundling with the > > > vulnerability? (Seems like this should be addressed before a GLSA?) > > > > Please do look into it if you know other places it's bundled. > > > > No reason for it to block a GLSA. > > My thought is that until this is done, it's unknown what packages need to be > bumped to secure against the vulnerability. Can't advise users to do the > unknown... Correct. Someone will have to find anywhere sqlite is bundled. I'd be happy if you could volunteer. |