[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze

On Mon, Jun 08, 2015 at 06:54:55AM +0200, Santiago Ruano Rincón wrote:
> Hi,
> sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415
> and CVE-2015-3416. I've took a look on how they impact wheezy and
> squeeze, and as far as I can see, backporting CVE-2015-3414 and
> CVE-2015-3415 is not so trivial and I'm not sure if they affect the old
> stable releases.

I couldn't reproduce CVE-2015-3414 in wheezy and squeeze so I marked it as n/a
in the security-tracker. As for CVE-2015-3415, I'm not sure how one is supposed
to reproduce it in the first place, so I can't really tell right now.

> However, CVE-2015-3416 affects wheezy and I've backported the attached
> patch. For the moment, I've been unable to reproduce the segfault in
> squeeze, the code prevents overflowing when it converts floating-points,
> but the fix can be backported to add an extra protection. Although, I'd
> like to hear a second opinion.
> What do you think?

I don't think squeeze is affected by CVE-2015-3416 at all (even valgrind shows
nothing), but I'll leave that to the LTS team to decide.

In general CVE-2015-3416 doesn't seem all that critical, but since it's been
fixed in jessie I don't see why it shouldn't be fixed in wheezy as well. But
first I'd like to understand if wheezy is affected by CVE-2015-3415 or not.

Thanks for your work.


Attachment: signature.asc
Description: Digital signature

Reply to: