0001-gnu-SQLite-Update-to-3.26.0.patchDescription: Text Data
|
| From: | Marius Bakke |
| Subject: | bug#33751: SQLite "Magellan" vulnerability |
| Date: | Sat, 15 Dec 2018 01:18:30 +0100 |
| User-agent: | Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) |
Hello!
There is allegedly a remote code execution bug in all versions of SQLite
prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
I think it is safe to graft 3.26.0 in-place:
$ abidiff
/gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so
/gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 1 Added function symbol not
referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not
referenced by debug info
1 Added function symbol not referenced by debug info:
sqlite3_create_window_function
...but I have not tested this. It's difficult to tell which patches to
apply without knowing more details of the vulnerability.
I am currently building a branch that adds a "static" output for
SQLite in order to catch users of libsqlite3.a. Can we start this on
Berlin concurrently? Patches attached.
0001-gnu-SQLite-Update-to-3.26.0.patch
Description: Text Data
0002-gnu-SQLite-Add-static-output.patch
Description: Text Data
signature.asc
Description: PGP signature
| [Prev in Thread] | Current Thread | [Next in Thread] |