Re: "Magellan" bug in sqlite3
On Mon, Dec 17, 2018 at 6:21 AM Hideki Yamane <firstname.lastname@example.org> wrote:
> It may be known already but https://security-tracker.debian.org/tracker/source-package/sqlite3
> doesn't contain its vulnerability information.
I've sent a detailed analysis of the possible issue back then to the
Security Team. A bit later I had to go off the grid, but now back on
track with some public details.
> Tencent Blade Team released a security advisory about "Magellan" bug
> in sqlite, that was fixed in upstream 3.26.0.
> See https://blade.tencent.com/magellan/index_en.html
It's turned out to be an FTS3/FTS4 extension issue (that is, you are
safe if you don't use it). Upstream confirmed it and fix is
available. First fixed version is 3.25.3 but due to other security
related fixes like an OOM you are better upgrade to the 3.26.0
Only Chrome seems to be affected due to WebSQL usage.