Debian Bug report logs -
#1026293
sqlite3: CVE-2022-46908
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#1026293
; Package src:sqlite3
.
(Sat, 17 Dec 2022 20:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Sat, 17 Dec 2022 20:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.40.0-1
Severity: important
Tags: security upstream
Forwarded: https://sqlite.org/forum/forumpost/07beac8056151b2f
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for sqlite3.
CVE-2022-46908[0]:
| SQLite through 3.40.0, when relying on --safe for execution of an
| untrusted CLI script, does not properly implement the
| azProhibitedFunctions protection mechanism, and instead allows UDF
| functions such as WRITEFILE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46908
https://www.cve.org/CVERecord?id=CVE-2022-46908
[1] https://sqlite.org/forum/forumpost/07beac8056151b2f
[2] https://sqlite.org/src/info/cefc032473ac5ad2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#1026293
; Package src:sqlite3
.
(Sun, 18 Dec 2022 09:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Sun, 18 Dec 2022 09:27:02 GMT) (full text, mbox, link).
Message #10 received at 1026293@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On Sat, Dec 17, 2022 at 9:42 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> CVE-2022-46908[0]:
> | SQLite through 3.40.0, when relying on --safe for execution of an
> | untrusted CLI script, does not properly implement the
> | azProhibitedFunctions protection mechanism, and instead allows UDF
> | functions such as WRITEFILE.
Thanks for reporting! Going to fix it in minutes.
> Please adjust the affected versions in the BTS as needed.
The report is most probably correct. At least the safe option was
added in 3.37.1 [1] and so this vulnerability does not affect our
stable release which has the older, 3.34.1 version.
Cheers,
Laszlo/GCS
[1] https://www.sqlite.org/releaselog/3_37_1.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#1026293
; Package src:sqlite3
.
(Sun, 18 Dec 2022 15:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Sun, 18 Dec 2022 15:51:03 GMT) (full text, mbox, link).
Message #15 received at 1026293@bugs.debian.org (full text, mbox, reply):
Hi László
On Sun, Dec 18, 2022 at 10:24:50AM +0100, László Böszörményi (GCS) wrote:
> Hi Salvatore,
>
> On Sat, Dec 17, 2022 at 9:42 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > CVE-2022-46908[0]:
> > | SQLite through 3.40.0, when relying on --safe for execution of an
> > | untrusted CLI script, does not properly implement the
> > | azProhibitedFunctions protection mechanism, and instead allows UDF
> > | functions such as WRITEFILE.
> Thanks for reporting! Going to fix it in minutes.
>
> > Please adjust the affected versions in the BTS as needed.
> The report is most probably correct. At least the safe option was
> added in 3.37.1 [1] and so this vulnerability does not affect our
> stable release which has the older, 3.34.1 version.
Many thanks for the unstable upload and checking status for bullseye
and older.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Dec 18 16:35:34 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.