Re: Incomplete fix for CVE-2019-20218/sqlite3
> CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
Thanks for this. With my FD hat on, I've just re-added it to
dla-needed.txt, and here is the relevant debian/changelog entry (lines
1 sqlite3 (3.16.2-5+deb9u2) stretch-security; urgency=high
3 * Non-maintainer upload by the LTS Team.
4 * CVE-2018-8740: Databases whose schema is corrupted using a CREATE TABLE AS
5 statement could cause a NULL pointer dereference.
6 * CVE-2018-20346, CVE-2018-20506: Add extra defenses against strategically
7 corrupt databases to fts3/4.
8 * CVE-2019-5827: Integer overflow allowed a remote attacker to potentially
9 exploit heap corruption via a crafted HTML page, primarily impacting
11 * CVE-2019-9936: Potential information leak when running fts5 prefix queries
12 inside a transaction, which could trigger a heap-based buffer over-read.
13 * CVE-2019-9937: interleaving reads and writes in a single transaction with
14 an fts5 virtual table will lead to a NULL Pointer Dereference
15 * CVE-2019-16168: Missing validation resulting in a potential division by
16 zero, which can crash a browser or other application
17 * CVE-2019-20218: Do not attempt to unwind the WITH stack in the event of a
18 parse error
19 * CVE-2020-13630: Fix use-after-free in fts3EvalNextRow, related to the
20 snippet feature
21 * CVE-2020-13632: Fix NULL pointer dereference via a crafted matchinfo()
23 * CVE-2020-13871: Fix use-after-free in resetAccumulator in select.c
24 * CVE-2020-11655: Fix denial of service resulting from segmentation fault
25 via a malformed window-function query.
26 * CVE-2020-13434: Fix integer overflow in sqlite3_str_vappendf.
28 -- Roberto C. Sanchez <email@example.com> Tue, 04 Aug 2020 19:07:43 -0400
Roberto, can you follow-up on this?
: :' : Chris Lamb
`. `'` firstname.lastname@example.org 🍥 chris-lamb.co.uk