[prev in list] [next in list] [prev in thread] [next in thread]
List: sqlite-users
Subject: Re: [sqlite] clusterfuzz-found issue in GDAL, Ubuntu packages
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2017-07-06 2:23:01
Message-ID: 20170706022301.GD1732 () hunt
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Sorry for the late reply, but I enjoyed a nice long weekend except
for the sunburns. I kept the wider Cc:s since it feels like this can
be opened.]
On Sat, Jul 01, 2017 at 12:52:54PM +0200, Even Rouault wrote:
> Seth, I can turn the Launchpad bug report as public if you wish. I
> marked it privately if Ubuntu felt it was better. I don't care that much
> about disclosing it publicly.
Aha, I wasn't certain we were allowed to mark it public yet. I don't want
to upset anyone needlessly, but it would be easier to discuss the bug in
public. (Especially since it appears to be 'just' out-of-bound reads. This
can of course be surprising and have non-obvious consequences, but it
doesn't immediately lead to e.g. remote code execution.)
Does this issue sound like it should receive a CVE to ensure other
consumers of sqlite3 discover it? I'm happy to do the paperwork if so.
On Sat, Jul 01, 2017 at 11:28:10AM -0400, Richard Hipp wrote:
> A proper fix for the problem can be seen at https://sqlite.org/src/info/66de6f4a
Now this is short and sweet. I like the look of this patch quite a lot
more than the start of the larger transformation.
On Sat, Jul 01, 2017 at 05:40:57PM +0200, Even Rouault wrote:
> > The plain ASCII patch can be seen at
> > https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
>
> I've just applied this patch on top of 3.11.0. It applies cleanly
>
> patching file ext/rtree/rtree.c
> Hunk #1 succeeded at 3153 (offset -282 lines).
> patching file ext/rtree/rtreeA.test
>
> and I confirm that it solves the issue !
Very good news! Thank you both.
["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic