[Suggested description] Undersize RTree blobs in a maliciously-constructed SQLite3 database file may allow buffer-overreads, un-initialized data use, or possibly other unspecified behaviour. References: > https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26 > https://sqlite.org/src/info/66de6f4a > https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 > http://marc.info/?l=sqlite-users&m=149933696214713&w=2
According to that discussion the bug is not reproducible in SQLite >=3.17.0. SQLite 3.17.0 is already stable.
> bug is not reproducible in SQLite >=3.17.0. https://nvd.nist.gov/vuln/detail/CVE-2017-10989 "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact." Ok. So as you say.
Created attachment 485076 [details, diff] sqlite-3.19.3-CVE-2017-10989.patch Upstream patch
@maintainers, please clean the vulnerable versions.
Old versions deleted.