Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685838 (CVE-2019-5018) - <dev-db/sqlite-3.28.0: use-after-free in window function leading to remote code execution (CVE-2019-5018)
Summary: <dev-db/sqlite-3.28.0: use-after-free in window function leading to remote co...
Alias: CVE-2019-5018
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on:
Blocks: CVE-2019-9936, CVE-2019-9937
  Show dependency tree
Reported: 2019-05-13 14:20 UTC by GLSAMaker/CVETool Bot
Modified: 2019-12-12 08:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 14:20:40 UTC
CVE-2019-5018 (
  An exploitable use after free vulnerability exists in the window function
  functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a
  use after free vulnerability, potentially resulting in remote code
  execution. An attacker can send a malicious SQL command to trigger this
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-13 16:57:50 UTC
amd64 stable
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-05-13 22:01:18 UTC
arm64 stable
Comment 3 Rolf Eike Beer archtester 2019-05-14 08:30:28 UTC
sparc stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-16 23:58:19 UTC
x86 stable
Comment 5 Rolf Eike Beer archtester 2019-05-18 19:24:03 UTC
hppa stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-23 13:17:44 UTC
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:03:09 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-06-04 18:52:33 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-06-05 07:14:02 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-05 07:31:06 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-06 06:49:04 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Arfrever Frehtes Taifersar Arahesis 2019-06-08 02:23:23 UTC
Let's give one or two weeks for M68K and SH.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-08-03 16:39:00 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #12)
> Let's give one or two weeks for M68K and SH.

They are not stable arches.  Can we move on now?
Comment 14 Larry the Git Cow gentoo-dev 2019-08-09 18:39:26 UTC
The bug has been referenced in the following commit(s):

commit 9b4ecf2fe8842b5ee546ab56f81bbb470cbe91a8
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2019-08-09 17:09:52 +0000
Commit:     Mike Gilbert <>
CommitDate: 2019-08-09 18:39:00 +0000

    dev-db/sqlite: Delete old version (3.27.2).
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <>

 dev-db/sqlite/Manifest                             |   3 -
 .../files/sqlite-3.27.0-full_archive-build.patch   | 461 ---------------------
 .../files/sqlite-3.27.2-full_archive-tests.patch   |  36 --
 dev-db/sqlite/sqlite-3.27.2.ebuild                 | 328 ---------------
 4 files changed, 828 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:46:54 UTC
This issue was resolved and addressed in
 GLSA 201908-09 at
by GLSA coordinator Aaron Bauman (b-man).