[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "Magellan" bug in sqlite3

On Mon, Dec 17, 2018 at 6:21 AM Hideki Yamane <henrich@iijmio-mail.jp> wrote:
>  It may be known already but https://security-tracker.debian.org/tracker/source-package/sqlite3
>  doesn't contain its vulnerability information.
 I've sent a detailed analysis of the possible issue back then to the
Security Team. A bit later I had to go off the grid, but now back on
track with some public details.

>  Tencent Blade Team released a security advisory about "Magellan" bug
>  in sqlite, that was fixed in upstream 3.26.0.
>  See https://blade.tencent.com/magellan/index_en.html
 It's turned out to be an FTS3/FTS4 extension issue (that is, you are
safe if you don't use it). Upstream confirmed it[1] and fix is
available[2]. First fixed version is 3.25.3 but due to other security
related fixes like an OOM[3] you are better upgrade to the 3.26.0
Only Chrome seems to be affected due to WebSQL usage.

[1] https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg113218.html
[2] https://www.sqlite.org/src/info/940f2adc8541a838
[3] https://www.sqlite.org/src/info/de0781485701c138

Reply to: