Re: "Magellan" bug in sqlite3
On Thu, Dec 20, 2018 at 12:36:23AM +0100, Christoph Moench-Tegeder wrote:
> > > > This vulnerability seems to have been already handled. See URL:
> > > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F
> > >
> > > No, we should deal with it in stable release, so tracking is important.
> > >
> > Please check the link above once again.
> Oh well, let's do that, by all means:
> - the description reads "sqlite: info leak" - that's not the remote
> code execution Tencent has found.
In the Tencent link you can read, 1.'Remote code execution, leaking program
memory or causing program crashes.' and:
2.'Magellan is a number of vulnerabilities that exist in SQLite.' and:
3.'so this vulnerability has a wide range of influence.' and:
4.'We follow the responsible vulnerability disclosure process and will
not disclose the details of the vulnerability in advance... '
The above points 18.104.22.168. might indicate information leakage vulnerability
> I conclude that "TEMP-0566326-9A899F" is not the vulnerability Tencent
> as dubbed "Magellan".
Now we do know yes, after further research which you pointed out. My
answer was originally, '...seems to have been...'. Not affirmative,
but rather guiding.
Until there is no clear information on the issue, you cannot conclude
it 100% sure what it is exactly about and under which CVE/tracker ID
is tracked despite whatever name it is dubbed as.
> In fact, PTS at https://tracker.debian.org/pkg/sqlite3 lists "2 security
> issues in stretch", one of which is "TEMP-0000000-AAC0D0" with description
> ""Magellan" remote code execution vulnerability". That one lists sqlite3
> version 3.26.0 as vulnerable - which, according to all available sources -
> is the fixed version (Tencent: "If your product uses SQLite, please update
> to 3.26.0"). I guess this will need fixing?
This is correct, it looks it needs fixing in stretch/jessie, it is clearly stated.
Not in sid, though, The correct tracker ID is
https://security-tracker.debian.org/tracker/TEMP-0000000-AAC0D0 as you stated,
though, I assume that this has been just added very recently.
Anyway, the point here is not which exact tracker deals with the issue
but to dismiss the false assumption that the reader might have come to,
namely, the security issues are not handled - or to be seen not handled -
properly in Debian Linux.
(... 'CVE is not assigned yet, but we should track and try to fix it.' ... )
qmi | Debian GNU/Linux enthusiast
GPG: 3C4B 1364 A379 7366 7FED 260A 2208 F2CE 3FCE A0D3