Re: "Magellan" bug in sqlite3
## qmi (firstname.lastname@example.org):
> > > This vulnerability seems to have been already handled. See URL:
> > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F
> > No, we should deal with it in stable release, so tracking is important.
> Please check the link above once again.
Oh well, let's do that, by all means:
- the description reads "sqlite: info leak" - that's not the remote
code execution Tencent has found.
- following the linked bug #566326 - which is from 2010 - the title is
"xulrunner-1.9: iceweasel "clear private data" leaves traces on disk
due to linkage to system libsqlite3 instead of embedded copy"
I conclude that "TEMP-0566326-9A899F" is not the vulnerability Tencent
as dubbed "Magellan".
Further, "TEMP-0566326-9A899F" claims sqlite3 package 3.16.2-5+deb9u1
as "fixed" - on the first machine I checked, that version had been
installed somewhat overan year ago, according to dpkg.log (on 2017-12-09,
to be more exact). (It would be entirely possible that 3.16 is just
too old to be vulnerable - but no such luck, read on).
In fact, PTS at https://tracker.debian.org/pkg/sqlite3 lists "2 security
issues in stretch", one of which is "TEMP-0000000-AAC0D0" with description
""Magellan" remote code execution vulnerability". That one lists sqlite3
version 3.26.0 as vulnerable - which, according to all available sources -
is the fixed version (Tencent: "If your product uses SQLite, please update
to 3.26.0"). I guess this will need fixing?
The fact that Tencent's announcement is thin on detail and thick on alarum
(and we have no official tracking reference and no statement from SQLite
themselves (except a few twitter blurbs)) makes this harder than it