oss-security - [cve-request@...re.org: Re: [scr357564] sqlite3

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Fri, 7 Jul 2017 11:33:14 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: [cve-request@...re.org: Re: [scr357564] sqlite3 - fix in progress]

Hello; some buffer over-reads were recently discovered in sqlite3 via
Google's clusterfuzz of GDAL. Thanks to Even Rouault for coordinating and
D. Richard Hipp for the fast and friendly fix.

Here's the description and references I supplied to MITRE, and their
(trimmed) reply:

----- Forwarded message from cve-request@...re.org -----
> [Suggested description]
> Undersize RTree blobs in a maliciously-constructed SQLite3 database file
> may allow buffer-overreads, un-initialized data use, or possibly other
> unspecified behaviour.
>
> [Reference]
> https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
> https://sqlite.org/src/info/66de6f4a
> https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
> http://marc.info/?l=sqlite-users&m=149933696214713&w=2
>
> [Discoverer]
> Google's project clusterfuzz

Use CVE-2017-10989.

----- End forwarded message -----

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.