[Secure-testing-team] Bug#867618: sqlite3: CVE-2017-10989
Salvatore Bonaccorso
carnil at debian.org
Fri Jul 7 19:53:46 UTC 2017
Source: sqlite3
Version: 3.8.7.1-1
Severity: important
Tags: upstream security patch
Hi,
the following vulnerability was published for sqlite3.
CVE-2017-10989[0]:
| The getNodeSize function in ext/rtree/rtree.c in SQLite before 3.11.0,
| as used in GDAL and other products, mishandles undersized RTree blobs
| in a crafted database, leading to a heap-based buffer over-read or
| possibly unspecified other impact.
Even the above description mentions "before 3.11.0" (and actually would
be 3.17.0) the issue is still present in later versions, it's hidden, as
explained in [1]. There is a patch at [2]. So it might be as well be
applied to newer versions (and it's basically already queued upstream as
well, with the referenced commit).
,---- [ make test ]
| ...
| ! rtreeA-7.110 expected: [1 {undersize RTree blobs in "t1_node"}]
| ! rtreeA-7.110 got: [1 {database disk image is malformed}]
| Time: rtreeA.test 56 ms
| ...
`----
(unrelated, speaking of testsuite, would be great if #339368 could be
made working in Debian and maybe having autopkgtest smoke-tests running
the upstream testsuite, but not sure how feasible this is).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989
[1] https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/comments/7
[2] https://sqlite.org/src/info/66de6f4a
Regards,
Salvatore
More information about the Secure-testing-team
mailing list