Re: Request for help/comments: sqlite3
On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote:
> Hi Ola,
> thanks for your response!
> Ola Lundqvist:
> > I have now looked into this problem to see if I can out something.
> > What I have done is to backtrack whether the code is ever executed by
> > sqlite and I cannot find that it can be.
> > rtreenode function is registered using sqlite3_create_function
> > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init
> > function to be called from anywhere.
> > Based on this I think we can rather safely say that the function is not
> > used in Debian and hence the package is not affected.
> Ok, great. So given that others didn't comment (yet) and we both agree
> on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now.
> Let's wait for Security Team's opinion. My recommendation for them would
> be to do the same, given that backporting the fix for CVE-2019-8457 to
> the sqlite3 version in Stretch will be as complex as it is for Jessie.
FWIW, it was marked no-dsa, ideally fixing this in a point release and
exposing it more to testing before the point release update itself (A
backport might be feasible, Ubuntu has released USN including fixes to
various older versions as well).