From: Marius Bakke <mbakke@fastmail.com>
To: 33751@debbugs.gnu.org
Subject: bug#33751: SQLite "Magellan" vulnerability
Date: Sat, 15 Dec 2018 02:51:29 +0100 [thread overview]
Message-ID: <87o99nv9pa.fsf@fastmail.com> (raw)
In-Reply-To: <87r2ejve09.fsf@fastmail.com>
[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Hello!
>
> There is allegedly a remote code execution bug in all versions of SQLite
> prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>.
>
> I think it is safe to graft 3.26.0 in-place:
>
> $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 1 Added function symbol not referenced by debug info:
>
> sqlite3_create_window_function
>
> ...but I have not tested this. It's difficult to tell which patches to
> apply without knowing more details of the vulnerability.
>
> I am currently building a branch that adds a "static" output for
> SQLite in order to catch users of libsqlite3.a. Can we start this on
> Berlin concurrently? Patches attached.
Perhaps it's better to start over 'staging' with the new SQLite in the
mean time? Hydra didn't get too far yet.
It does not add a lot to the current rebuild count.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2018-12-15 1:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-15 0:18 bug#33751: SQLite "Magellan" vulnerability Marius Bakke
2018-12-15 1:51 ` Marius Bakke [this message]
2018-12-15 10:47 ` Ricardo Wurmus
2018-12-25 18:11 ` bug#33751: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].) Alex Vong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o99nv9pa.fsf@fastmail.com \
--to=mbakke@fastmail.com \
--cc=33751@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.