All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3
@ 2018-12-22  7:44 Peter Korsgaard
  2018-12-30 21:42 ` Thomas Petazzoni
  2019-01-23 14:31 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2018-12-22  7:44 UTC (permalink / raw)
  To: buildroot

Fixes CVE-2018-20346: SQLite before 3.25.3, when the FTS3 extension is
enabled, encounters an integer overflow (and resultant buffer overflow) for
FTS3 queries that occur after crafted changes to FTS3 shadow tables,
allowing remote attackers to execute arbitrary code by leveraging the
ability to run arbitrary SQL statements (such as in certain WebSQL use
cases), aka Magellan.

For more details, see:
https://blade.tencent.com/magellan/index_en.html
https://www.sqlite.org/releaselog/3_25_3.html
https://www.mail-archive.com/sqlite-users at mailinglists.sqlite.org/msg113218.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/sqlite/sqlite.hash | 4 ++--
 package/sqlite/sqlite.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/sqlite/sqlite.hash b/package/sqlite/sqlite.hash
index eefa31ffb7..7be42a0aca 100644
--- a/package/sqlite/sqlite.hash
+++ b/package/sqlite/sqlite.hash
@@ -1,6 +1,6 @@
 # From https://www.sqlite.org/download.html
-sha1 aedfbdc14eb700099434d6a743135743cff47393  sqlite-autoconf-3250200.tar.gz
+sha1 5d6dc7634ec59e7a6fffa8758c1e184b2522c2e5  sqlite-autoconf-3250300.tar.gz
 # Calculated based on the hash above
-sha256 da9a1484423d524d3ac793af518cdf870c8255d209e369bd6a193e9f9d0e3181  sqlite-autoconf-3250200.tar.gz
+sha256 00ebf97be13928941940cc71de3d67e9f852698233cd98ce2d178fd08092f3dd  sqlite-autoconf-3250300.tar.gz
 # Locally calculated
 sha256 66e056b6e8687f32af30d5187611b98b12a8f46f07aaf62f43585f276e8f0ac9  tea/license.terms
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index 34a0b9538e..6cf5710e5d 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SQLITE_VERSION = 3250200
+SQLITE_VERSION = 3250300
 SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
 SQLITE_SITE = https://www.sqlite.org/2018
 SQLITE_LICENSE = Public domain
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3
  2018-12-22  7:44 [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3 Peter Korsgaard
@ 2018-12-30 21:42 ` Thomas Petazzoni
  2019-01-23 14:31 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2018-12-30 21:42 UTC (permalink / raw)
  To: buildroot

Hello,

On Sat, 22 Dec 2018 08:44:47 +0100, Peter Korsgaard wrote:
> Fixes CVE-2018-20346: SQLite before 3.25.3, when the FTS3 extension is
> enabled, encounters an integer overflow (and resultant buffer overflow) for
> FTS3 queries that occur after crafted changes to FTS3 shadow tables,
> allowing remote attackers to execute arbitrary code by leveraging the
> ability to run arbitrary SQL statements (such as in certain WebSQL use
> cases), aka Magellan.
> 
> For more details, see:
> https://blade.tencent.com/magellan/index_en.html
> https://www.sqlite.org/releaselog/3_25_3.html
> https://www.mail-archive.com/sqlite-users at mailinglists.sqlite.org/msg113218.html
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/sqlite/sqlite.hash | 4 ++--
>  package/sqlite/sqlite.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3
  2018-12-22  7:44 [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3 Peter Korsgaard
  2018-12-30 21:42 ` Thomas Petazzoni
@ 2019-01-23 14:31 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-01-23 14:31 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2018-20346: SQLite before 3.25.3, when the FTS3 extension is
 > enabled, encounters an integer overflow (and resultant buffer overflow) for
 > FTS3 queries that occur after crafted changes to FTS3 shadow tables,
 > allowing remote attackers to execute arbitrary code by leveraging the
 > ability to run arbitrary SQL statements (such as in certain WebSQL use
 > cases), aka Magellan.

 > For more details, see:
 > https://blade.tencent.com/magellan/index_en.html
 > https://www.sqlite.org/releaselog/3_25_3.html
 > https://www.mail-archive.com/sqlite-users at mailinglists.sqlite.org/msg113218.html

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-23 14:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-22  7:44 [Buildroot] [PATCH] package/sqlite: security bump to version 3.25.3 Peter Korsgaard
2018-12-30 21:42 ` Thomas Petazzoni
2019-01-23 14:31 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.