Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 01 Jun 2017 08:47:43 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: Information on recent sqlite3 issues?

On Wednesday 31 May 2017 22:30:37 Moritz Muehlenhoff wrote:
> Hi,
> one of the latest Apple advisories mentions several vulnerabilities in
> sqlite: https://support.apple.com/en-us/HT207798
> 
> CVE-2017-2513: found by OSS-Fuzz
> CVE-2017-2518: found by OSS-Fuzz
> CVE-2017-2520: found by OSS-Fuzz
> CVE-2017-2519: found by OSS-Fuzz
> CVE-2017-6983: Chaitin Security Research Lab (@...itinTech) working with
> Trend Micro's Zero Day Initiative CVE-2017-6991: Chaitin Security Research
> Lab (@...itinTech) working with Trend Micro's Zero Day Initiative
> 
> Does anyone have additional information on those and whether that
> applies to the standard sqlite releases or Apple-specific changes?
> 
> Cheers,
>         Moritz

Hi.

I don't know about apple itself but in the clusterfuzz reports I see 4 public 
bugs about sqlite.
However they have a very small (2 days) range of regression, i.e. a commit 
made in those two days causes the problem.
I didn't check, but I suspect they didn't go in any release.

FTR, the time you are seeing in the regression range is UTC:
https://github.com/google/oss-fuzz/issues/563

At this point I don't know if apple referer to those issues or the mentioned 
issues are not public.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ