From ${URL} : It was reported that SQLite 3.8.2 contained an array overrun in the skip-scan optimization leading to memory corruption. Upstream bugs: https://www.sqlite.org/src/info/520070ec7fbaac https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1448758 Upstream fix: https://www.sqlite.org/src/info/ac5852d6403c9c96 This issue was introduced in https://www.sqlite.org/src/info/b0bb975c0986fe01 which was part of 3.8.2 release. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
(In reply to Agostino Sarubbo from comment #0) > Upstream fix: > https://www.sqlite.org/src/info/ac5852d6403c9c96 So it was fixed in 2013-12-23 and fix was released in SQLite 3.8.3 on 2014-02-03 (http://sqlite.org/releaselog/3_8_3.html). I leave closing of this bug to security team...
@security: The first fixed stable version is 3.8.3.1: 11 Mar 2014; Jeroen Roovers <jer@gentoo.org> sqlite-3.8.3.1.ebuild: Stable for HPPA (bug #504218). The vulnerable version was removed on: 18 Nov 2014; Mike Gilbert <floppym@gentoo.org> -sqlite-3.8.2.ebuild, I don't know it if qualifies for a glsa or is just too old and we can close directly
(In reply to Agostino Sarubbo from comment #2) > @security: > > > > I don't know it if qualifies for a glsa or is just too old and we can close > directly Closing without specific GLSA as this version is covered by https://security.gentoo.org/glsa/201507-05: Affected versions < 3.8.9 Unaffected versions >= 3.8.9
CVE-2013-7443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7443): Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.