Marius Bakke <mbakke@fastmail.com> writes:

> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
>   Functions changes summary: 0 Removed, 0 Changed, 0 Added function                                 
>   Variables changes summary: 0 Removed, 0 Changed, 0 Added variable                                 
>   Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info 
>   Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 
>
>   1 Added function symbol not referenced by debug info:                                             
>
>     sqlite3_create_window_function
>
> ...but I have not tested this.  It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a.  Can we start this on
> Berlin concurrently?  Patches attached.

Perhaps it's better to start over 'staging' with the new SQLite in the
mean time?  Hydra didn't get too far yet.

It does not add a lot to the current rebuild count.