Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624164 (CVE-2017-10989) - <dev-db/sqlite-3.17.0: buffer over-reads were recently discovered
Summary: <dev-db/sqlite-3.17.0: buffer over-reads were recently discovered
Status: RESOLVED FIXED
Alias: CVE-2017-10989
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-07 18:45 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-11-03 19:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sqlite-3.19.3-CVE-2017-10989.patch (sqlite-3.19.3-CVE-2017-10989.patch,1.26 KB, patch)
2017-07-16 09:31 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-07 18:45:41 UTC
[Suggested description]
Undersize RTree blobs in a maliciously-constructed SQLite3 database file
may allow buffer-overreads, un-initialized data use, or possibly other
unspecified behaviour.

References:

> https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
> https://sqlite.org/src/info/66de6f4a
> https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
> http://marc.info/?l=sqlite-users&m=149933696214713&w=2
Comment 1 Arfrever Frehtes Taifersar Arahesis 2017-07-07 20:35:27 UTC
According to that discussion the bug is not reproducible in SQLite >=3.17.0.
SQLite 3.17.0 is already stable.
Comment 2 Andrey Ovcharov 2017-07-16 08:53:40 UTC
> bug is not reproducible in SQLite >=3.17.0.

https://nvd.nist.gov/vuln/detail/CVE-2017-10989

"The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact."

Ok. So as you say.
Comment 3 Andrey Ovcharov 2017-07-16 09:31:24 UTC
Created attachment 485076 [details, diff]
sqlite-3.19.3-CVE-2017-10989.patch

Upstream patch
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-30 00:15:57 UTC
@maintainers, please clean the vulnerable versions.
Comment 5 Arfrever Frehtes Taifersar Arahesis 2017-11-01 21:11:19 UTC
Old versions deleted.