Re: "Magellan" bug in sqlite3

To: debian-security@lists.debian.org
Subject: Re: "Magellan" bug in sqlite3
From: László Böszörményi (GCS) <gcs@debian.org>
Date: Thu, 20 Dec 2018 09:05:57 +0100
Message-id: <[🔎] CAKjSHr2A0BG92ewDYMMd5CUqVMR5r8d1EoZnFEY6OxoRmeJ28g@mail.gmail.com>
In-reply-to: <[🔎] 20181217142025.9b9cee78daeb1d46da1ebad2@iijmio-mail.jp>
References: <[🔎] 20181217142025.9b9cee78daeb1d46da1ebad2@iijmio-mail.jp>

On Mon, Dec 17, 2018 at 6:21 AM Hideki Yamane <henrich@iijmio-mail.jp> wrote:
>  It may be known already but https://security-tracker.debian.org/tracker/source-package/sqlite3
>  doesn't contain its vulnerability information.
 I've sent a detailed analysis of the possible issue back then to the
Security Team. A bit later I had to go off the grid, but now back on
track with some public details.

>  Tencent Blade Team released a security advisory about "Magellan" bug
>  in sqlite, that was fixed in upstream 3.26.0.
>  See https://blade.tencent.com/magellan/index_en.html
 It's turned out to be an FTS3/FTS4 extension issue (that is, you are
safe if you don't use it). Upstream confirmed it[1] and fix is
available[2]. First fixed version is 3.25.3 but due to other security
related fixes like an OOM[3] you are better upgrade to the 3.26.0
release.
Only Chrome seems to be affected due to WebSQL usage.

Regards,
Laszlo/GCS
[1] https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg113218.html
[2] https://www.sqlite.org/src/info/940f2adc8541a838
[3] https://www.sqlite.org/src/info/de0781485701c138

Reply to:

Follow-Ups:
- Re: "Magellan" bug in sqlite3
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

References:
- "Magellan" bug in sqlite3
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

Prev by Date: Re: "Magellan" bug in sqlite3
Next by Date: Re: "Magellan" bug in sqlite3
Previous by thread: Re: "Magellan" bug in sqlite3
Next by thread: Re: "Magellan" bug in sqlite3
Index(es):
- Date
- Thread