|
Message-ID: <20170707183314.GA23728@hunt>
Date: Fri, 7 Jul 2017 11:33:14 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: [cve-request@...re.org: Re: [scr357564] sqlite3 - fix in progress]
Hello; some buffer over-reads were recently discovered in sqlite3 via
Google's clusterfuzz of GDAL. Thanks to Even Rouault for coordinating and
D. Richard Hipp for the fast and friendly fix.
Here's the description and references I supplied to MITRE, and their
(trimmed) reply:
----- Forwarded message from cve-request@...re.org -----
> [Suggested description]
> Undersize RTree blobs in a maliciously-constructed SQLite3 database file
> may allow buffer-overreads, un-initialized data use, or possibly other
> unspecified behaviour.
>
> [Reference]
> https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
> https://sqlite.org/src/info/66de6f4a
> https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
> http://marc.info/?l=sqlite-users&m=149933696214713&w=2
>
> [Discoverer]
> Google's project clusterfuzz
Use CVE-2017-10989.
----- End forwarded message -----
Thanks
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.