Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629298 (CVE-2017-13685) - <dev-db/sqlite-3.21.0: Segmentation fault in /usr/bin/sqlite3 caused by "PRAGMA empty_result_callbacks=1;" followed by ".dump" (CVE-2017-13685)
Summary: <dev-db/sqlite-3.21.0: Segmentation fault in /usr/bin/sqlite3 caused by "PRAG...
Alias: CVE-2017-13685
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2017-08-29 14:42 UTC by D'juan McDonald (domhnall)
Modified: 2017-11-03 19:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-29 14:42:22 UTC
From ${URL}:

The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.

CVE Details:

Upstream Bug:
Comment 1 Mart Raudsepp gentoo-dev 2017-08-29 14:49:01 UTC
Please keep in mind that stabilizing sqlite 3.20 would very likely break stable app-misc/tracker functionality. I hope we can coordinate in a way stable tracker users won't have issues. Me and EvaSDK should be available for such on IRC; might be easier to backport any fix for starters instead of stabilizing 3.20, but maybe we can get newer tracker stable together with sqlite 3.20 if needed and verified it's fine.
Comment 2 Arfrever Frehtes Taifersar Arahesis 2017-08-30 17:29:41 UTC :
  "This is a problem in the command-line shell program, not the the core SQLite library."

So it does not seem like a real security vulnerability.
Comment 3 D'juan McDonald (domhnall) 2017-10-16 00:54:13 UTC
@maintainer(s), please test patches and call for stable if possible.

Patch Set:
[The ".dump" comman crashes following PRAGMA empty_result_callbacks=1]