CVE-2022-35737 (https://kb.cert.org/vuls/id/720344): SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. The CERT URL 404's for me, but the SQLite CVEs patch lists the fix as in 3.39.2
Now fully disclosed: https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ Is there any good way to search my system for embedded vulnerable copies of sqlite?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21415f7abf937d79f78908e89fdcada84ac88a3b commit 21415f7abf937d79f78908e89fdcada84ac88a3b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-28 19:40:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-28 19:49:58 +0000 dev-db/sqlite: drop 3.39.2, 3.39.3 Bug: https://bugs.gentoo.org/863431 Signed-off-by: Sam James <sam@gentoo.org> dev-db/sqlite/Manifest | 4 - dev-db/sqlite/sqlite-3.39.2.ebuild | 436 ------------------------------------- dev-db/sqlite/sqlite-3.39.3.ebuild | 436 ------------------------------------- 3 files changed, 876 deletions(-)
GLSA request filed
Has anyone looked into other packages potentially bundling with the vulnerability? (Seems like this should be addressed before a GLSA?)
(In reply to Luke-Jr from comment #4) > Has anyone looked into other packages potentially bundling with the > vulnerability? (Seems like this should be addressed before a GLSA?) Please do look into it if you know other places it's bundled. No reason for it to block a GLSA.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b966ebfc6ef872316dabbe9fe102bd7f47faadb1 commit b966ebfc6ef872316dabbe9fe102bd7f47faadb1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:24:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:25:51 +0000 [ GLSA 202210-40 ] SQLite: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/777990 Bug: https://bugs.gentoo.org/863431 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-40.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
GLSA released, all done!
(In reply to John Helmert III from comment #5) > (In reply to Luke-Jr from comment #4) > > Has anyone looked into other packages potentially bundling with the > > vulnerability? (Seems like this should be addressed before a GLSA?) > > Please do look into it if you know other places it's bundled. > > No reason for it to block a GLSA. My thought is that until this is done, it's unknown what packages need to be bumped to secure against the vulnerability. Can't advise users to do the unknown...
(In reply to Luke-Jr from comment #8) > (In reply to John Helmert III from comment #5) > > (In reply to Luke-Jr from comment #4) > > > Has anyone looked into other packages potentially bundling with the > > > vulnerability? (Seems like this should be addressed before a GLSA?) > > > > Please do look into it if you know other places it's bundled. > > > > No reason for it to block a GLSA. > > My thought is that until this is done, it's unknown what packages need to be > bumped to secure against the vulnerability. Can't advise users to do the > unknown... Correct. Someone will have to find anywhere sqlite is bundled. I'd be happy if you could volunteer.