Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

sqlite3: CVE-2017-13685

Related Vulnerabilities: CVE-2017-13685  

Source

Debian Bug report logs - #873762
sqlite3: CVE-2017-13685

version graph

Package: src:sqlite3; Maintainer for src:sqlite3 is Laszlo Boszormenyi (GCS) <gcs@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 30 Aug 2017 20:51:01 UTC

Severity: normal

Tags: security, upstream

Found in version sqlite3/3.8.7.1-1

Fixed in version sqlite3/3.20.1-1

Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#873762; Package src:sqlite3. (Wed, 30 Aug 2017 20:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Wed, 30 Aug 2017 20:51:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sqlite3: CVE-2017-13685
Date: Wed, 30 Aug 2017 22:47:19 +0200
Source: sqlite3
Version: 3.8.7.1-1
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for sqlite3, it's quite
minor since should be only a problem in the command-line shell
program.

CVE-2017-13685[0]:
| The dump_callback function in SQLite 3.20.0 allows remote attackers to
| cause a denial of service (EXC_BAD_ACCESS and application crash) via a
| crafted file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-13685
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13685
[1] https://sqlite.org/src/info/02f0f4c54f2819b3

Regards,
Salvatore

Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Wed, 30 Aug 2017 21:42:15 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 30 Aug 2017 21:42:15 GMT) (full text, mbox, link).

Message #10 received at 873762-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>
To: 873762-close@bugs.debian.org
Subject: Bug#873762: fixed in sqlite3 3.20.1-1
Date: Wed, 30 Aug 2017 21:40:03 +0000
Source: sqlite3
Source-Version: 3.20.1-1

We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873762@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Aug 2017 21:01:11 +0000
Source: sqlite3
Binary: lemon sqlite3 sqlite3-doc libsqlite3-0-dbg libsqlite3-0 libsqlite3-dev libsqlite3-tcl
Architecture: source amd64 all
Version: 3.20.1-1
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 lemon      - LALR(1) Parser Generator for C or C++
 libsqlite3-0 - SQLite 3 shared library
 libsqlite3-0-dbg - SQLite 3 debugging symbols
 libsqlite3-dev - SQLite 3 development files
 libsqlite3-tcl - SQLite 3 Tcl bindings
 sqlite3    - Command line interface for SQLite 3
 sqlite3-doc - SQLite 3 documentation
Closes: 873762
Changes:
 sqlite3 (3.20.1-1) unstable; urgency=medium
 .
   * New upstream release.
   * Backport fix for CVE-2017-13685, '.dump' command crashes following
     PRAGMA empty_result_callbacks=1 (closes: #873762).
Checksums-Sha1:
 b260332b0ea749c8c37c4929fa36c6288876317b 2473 sqlite3_3.20.1-1.dsc
 4ca433a635737aab1953a207259655ae2d220267 3485848 sqlite3_3.20.1.orig-www.tar.xz
 e621aa1e898c1eddd9f5e5b10b22a7d88b01cd3f 5900940 sqlite3_3.20.1.orig.tar.xz
 dd53ae06d477ede0ca3b54cf51476c76d169fdd5 17652 sqlite3_3.20.1-1.debian.tar.xz
 129ccbdc270d2bbebb82f31cd3ba3822a5350d9d 146858 lemon_3.20.1-1_amd64.deb
 f054e32d136c943d46e156944edbc71bc338f8e4 4451408 libsqlite3-0-dbg_3.20.1-1_amd64.deb
 289712e05e4efcd9c09ab65a4a732c78a41d10fc 585166 libsqlite3-0_3.20.1-1_amd64.deb
 b804b78986b61b08f3aca1417f9f6190a4b39d16 718450 libsqlite3-dev_3.20.1-1_amd64.deb
 cbb22dc0d3222882a7e6cf8e8864215b032ec68f 115146 libsqlite3-tcl_3.20.1-1_amd64.deb
 656fe00bb81b3e02b92bb4a86550f030e115ae6c 3610200 sqlite3-doc_3.20.1-1_all.deb
 db8eef557559f3e29705b98b95eeecdcab3621d6 8084 sqlite3_3.20.1-1_amd64.buildinfo
 11f83b83538dce1a6c9b937c5fd0d70e5bd69b8f 809868 sqlite3_3.20.1-1_amd64.deb
Checksums-Sha256:
 f9d17a62dbf721057c9ca05bc37bd69e247f289ac7098ab5e98d1e51434dda8a 2473 sqlite3_3.20.1-1.dsc
 c31a1ad382c331c0507a5992c6d1697450ffc3410209ae992ead1c34344b5654 3485848 sqlite3_3.20.1.orig-www.tar.xz
 0ed8da87222d3e0d45afcd9dac3b91a453eee4ea6eaf1287b78a6f0fb5274437 5900940 sqlite3_3.20.1.orig.tar.xz
 8c205983e0f7baf75419123093a42aac97c94e8454c0adf540838264604e04b3 17652 sqlite3_3.20.1-1.debian.tar.xz
 2e43465d45eec992f7bc6adabe6e6c438bb35cd38f77e4a1d9dcc160d8bf57ac 146858 lemon_3.20.1-1_amd64.deb
 9e4ae5f72205d756937a71f93a5b9b6cc9ab898ff78aa1785737ea9dd5068a0c 4451408 libsqlite3-0-dbg_3.20.1-1_amd64.deb
 5953e00f958c15351ba811e9331455930dfbfab6616eabbd6ea563b386fbf8cc 585166 libsqlite3-0_3.20.1-1_amd64.deb
 9e097fd51d05dd3f5fced2de99469583416564f7c4c80975bd68489bd68aee5c 718450 libsqlite3-dev_3.20.1-1_amd64.deb
 9fa9ffa774f07168201c27cc1386f7c5824aa6b43436da0bebd3e268dd630a9c 115146 libsqlite3-tcl_3.20.1-1_amd64.deb
 7a9e8a63e9a9d4aea35ad4f7252f7e33bc57740c7099e19642c7ef91578fea18 3610200 sqlite3-doc_3.20.1-1_all.deb
 51c817453b39790d7c079d53ab8370032cfa4611672e8cb5685744b1fbab970c 8084 sqlite3_3.20.1-1_amd64.buildinfo
 3c010f64ec6ef7977b5fb958e754dc7c2423cd9eab5ae96eaa7d78e1493a3271 809868 sqlite3_3.20.1-1_amd64.deb
Files:
 a415638c444917cca5b5a5a72f59b42b 2473 devel optional sqlite3_3.20.1-1.dsc
 e57fcd2b3085c63f5a3b68e05a6652de 3485848 devel optional sqlite3_3.20.1.orig-www.tar.xz
 aa6cbf0615870ab98a7bf9900e172837 5900940 devel optional sqlite3_3.20.1.orig.tar.xz
 9da45a97cfcdd9965e72103004527d96 17652 devel optional sqlite3_3.20.1-1.debian.tar.xz
 6bbba75d8beae65f816fa41e979c9322 146858 devel optional lemon_3.20.1-1_amd64.deb
 4372c649254cde926309915c54b202a9 4451408 debug extra libsqlite3-0-dbg_3.20.1-1_amd64.deb
 6908130333aea8adcd5f36427e565291 585166 libs standard libsqlite3-0_3.20.1-1_amd64.deb
 e05305c27fbd7f017c9a53b7efef32e4 718450 libdevel optional libsqlite3-dev_3.20.1-1_amd64.deb
 d83c1d58700159f68d91c30fe83c8fb3 115146 interpreters optional libsqlite3-tcl_3.20.1-1_amd64.deb
 c0a74950ee52439b8b84614ed57fdf3c 3610200 doc optional sqlite3-doc_3.20.1-1_all.deb
 eee5357f880447b42f94d8063dcf0776 8084 devel optional sqlite3_3.20.1-1_amd64.buildinfo
 81d51c87d166d46113b3259bd03b0e98 809868 database optional sqlite3_3.20.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlmnLDYACgkQ3OMQ54ZM
yL+1Mg/+NBolaVv1HqcrpTTiY9TJsp+xRSxQamiT6DULkivgZ4YscOai3nKnoqXv
8/KfatMJLu7o3AGtAhaFUjxrttBiRCb6fOyI4ECO+iNiVOQURx62+KLCMMd888Di
2kGPzsdicozVS4dMdxPyV1jmxJ2GZ1YEW8xBRtu4AT+8+XGg0aOXDHJF2Cg4VnJQ
XZ49uFBFwFRTrbIujunu2eT/a3E//s4Z/dyKR+enYcBNEUyDSkYBTnHAlVle3wKr
d3q+sIpCFYgUd5Aqs5K4A4NWeylPIRiUIaHx2fFir42lVLxFYDZvqgclSbajvuMw
ANgtQF+174q5ND3Le3EMYjbolPv4xvgfimq4CHZzbl7ZILlEMG0DhWVTkkXL7K+E
l++5gnGdb++xGLpeY9WzbLDbaaFtMPQ+37AIJbrWlnNPCr9h4A42NIREu0HKRnkK
nDnvGqRxvCnY5VZBAQfLFeGCklMNtNq5c4L4iNp+4UsMveCLNkyymYV87T5skqw9
/l6is52WpJgMbjCga2LF5iAPZd/DMynvNRCnrL8wiUmLhq1ilubAJ41Be6z6h4B0
3t9G5q8PD70c43LYcgIXpdAgoPn71ZeuHrpJaMnLhLG+CWkQ2XV2dqMQeiKMtTVl
pbSAQNnL/18QS/jSQgtT3q6pedQ39mPGdc9a29wMuyQIU1cHMEQ=
=X7Mg
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 03 Oct 2017 07:27:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:03:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started