Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 863431 (CVE-2022-35737) - <dev-db/sqlite-3.39.2: buffer overflow
Summary: <dev-db/sqlite-3.39.2: buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2022-35737
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.sqlite.org/cves.html
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 862429
Blocks:
  Show dependency tree
 
Reported: 2022-08-03 17:39 UTC by John Helmert III
Modified: 2022-11-01 23:23 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-03 17:39:32 UTC
CVE-2022-35737 (https://kb.cert.org/vuls/id/720344):

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

The CERT URL 404's for me, but the SQLite CVEs patch lists the fix as in 3.39.2
Comment 1 Luke-Jr 2022-10-25 18:42:17 UTC
Now fully disclosed: https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/

Is there any good way to search my system for embedded vulnerable copies of sqlite?
Comment 2 Larry the Git Cow gentoo-dev 2022-10-28 19:53:29 UTC Comment hidden (obsolete)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 14:52:37 UTC
GLSA request filed
Comment 4 Luke-Jr 2022-10-31 16:28:19 UTC
Has anyone looked into other packages potentially bundling with the vulnerability? (Seems like this should be addressed before a GLSA?)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:07:13 UTC
(In reply to Luke-Jr from comment #4)
> Has anyone looked into other packages potentially bundling with the
> vulnerability? (Seems like this should be addressed before a GLSA?)

Please do look into it if you know other places it's bundled.

No reason for it to block a GLSA.
Comment 6 Larry the Git Cow gentoo-dev 2022-10-31 20:26:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b966ebfc6ef872316dabbe9fe102bd7f47faadb1

commit b966ebfc6ef872316dabbe9fe102bd7f47faadb1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:24:49 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:51 +0000

    [ GLSA 202210-40 ] SQLite: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/777990
    Bug: https://bugs.gentoo.org/863431
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-40.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:27:46 UTC
GLSA released, all done!
Comment 8 Luke-Jr 2022-11-01 22:40:21 UTC
(In reply to John Helmert III from comment #5)
> (In reply to Luke-Jr from comment #4)
> > Has anyone looked into other packages potentially bundling with the
> > vulnerability? (Seems like this should be addressed before a GLSA?)
> 
> Please do look into it if you know other places it's bundled.
> 
> No reason for it to block a GLSA.

My thought is that until this is done, it's unknown what packages need to be bumped to secure against the vulnerability. Can't advise users to do the unknown...
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 23:23:01 UTC
(In reply to Luke-Jr from comment #8)
> (In reply to John Helmert III from comment #5)
> > (In reply to Luke-Jr from comment #4)
> > > Has anyone looked into other packages potentially bundling with the
> > > vulnerability? (Seems like this should be addressed before a GLSA?)
> > 
> > Please do look into it if you know other places it's bundled.
> > 
> > No reason for it to block a GLSA.
> 
> My thought is that until this is done, it's unknown what packages need to be
> bumped to secure against the vulnerability. Can't advise users to do the
> unknown...

Correct. Someone will have to find anywhere sqlite is bundled. I'd be happy if you could volunteer.