Re: Request for help/comments: sqlite3
On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote:
> Hi Ola,
> thanks for your response!
> Ola Lundqvist:
> > I have now looked into this problem to see if I can out something.
> > What I have done is to backtrack whether the code is ever executed by
> > sqlite and I cannot find that it can be.
> > rtreenode function is registered using sqlite3_create_function
> > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init
> > function to be called from anywhere.
> > Based on this I think we can rather safely say that the function is not
> > used in Debian and hence the package is not affected.
> Ok, great. So given that others didn't comment (yet) and we both agree
> on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now.
> Let's wait for Security Team's opinion. My recommendation for them would
> be to do the same, given that backporting the fix for CVE-2019-8457 to
> the sqlite3 version in Stretch will be as complex as it is for Jessie.
Ack we will look into it.
> > I think we usually
> > mark it as ignored with a description. An alternative is to mark it as
> > not-affected but I'm not sure whether that should be done in this case
> > since the vulnerability is there, just not triggered. Someone else can
> > maybe help out with that decision.
> Marking it as 'non-affected' would be wrong as the package *is*
> affected. It's just that we consider it a minor vulnerability that we
> ignore for Jessie given that backporting a proper fix would mean very
> invasive code changes.
> @Security Team: do you have a suggestion how to mark cases like this one
> in data/CVE/list? The best probably would be to have a 'no-dla' flag, right?
No there is no additional flag needed for that. Use no-dsa or if you
want to make a stronger annotation that LTS team does not want to
further look at the CVE <ignored>. See