[cve-request () mitre org: Re: [scr357564] sqlite3 - fix in progress]

[Seth Arnold <seth.arnold () canonical com>]

Hello; some buffer over-reads were recently discovered in sqlite3 via
Google's clusterfuzz of GDAL. Thanks to Even Rouault for coordinating and
D. Richard Hipp for the fast and friendly fix.

Here's the description and references I supplied to MITRE, and their
(trimmed) reply:

----- Forwarded message from cve-request () mitre org -----
> [Suggested description]
> Undersize RTree blobs in a maliciously-constructed SQLite3 database file
> may allow buffer-overreads, un-initialized data use, or possibly other
> unspecified behaviour.
>
> [Reference]
> https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
> https://sqlite.org/src/info/66de6f4a
> https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
> http://marc.info/?l=sqlite-users&m=149933696214713&w=2
>
> [Discoverer]
> Google's project clusterfuzz

Use CVE-2017-10989.

----- End forwarded message -----

Thanks

Attachment: signature.asc
Description: