Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1026293: sqlite3: CVE-2022-46908
17 views
Skip to first unread message
Salvatore Bonaccorso
Dec 17, 2022, 3:50:03 PM12/17/22
to
Source: sqlite3
Version: 3.40.0-1
Severity: important
Tags: security upstream
Forwarded: https://sqlite.org/forum/forumpost/07beac8056151b2f
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for sqlite3.
CVE-2022-46908[0]:
| SQLite through 3.40.0, when relying on --safe for execution of an
| untrusted CLI script, does not properly implement the
| azProhibitedFunctions protection mechanism, and instead allows UDF
| functions such as WRITEFILE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46908
https://www.cve.org/CVERecord?id=CVE-2022-46908
[1] https://sqlite.org/forum/forumpost/07beac8056151b2f
[2] https://sqlite.org/src/info/cefc032473ac5ad2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 3.40.0-1
Severity: important
Tags: security upstream
Forwarded: https://sqlite.org/forum/forumpost/07beac8056151b2f
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for sqlite3.
CVE-2022-46908[0]:
| SQLite through 3.40.0, when relying on --safe for execution of an
| untrusted CLI script, does not properly implement the
| azProhibitedFunctions protection mechanism, and instead allows UDF
| functions such as WRITEFILE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46908
https://www.cve.org/CVERecord?id=CVE-2022-46908
[1] https://sqlite.org/forum/forumpost/07beac8056151b2f
[2] https://sqlite.org/src/info/cefc032473ac5ad2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
László Böszörményi
Dec 18, 2022, 4:30:04 AM12/18/22
to
Hi Salvatore,
On Sat, Dec 17, 2022 at 9:42 PM Salvatore Bonaccorso <car...@debian.org> wrote:
> CVE-2022-46908[0]:
> | SQLite through 3.40.0, when relying on --safe for execution of an
> | untrusted CLI script, does not properly implement the
> | azProhibitedFunctions protection mechanism, and instead allows UDF
> | functions such as WRITEFILE.
Thanks for reporting! Going to fix it in minutes.
> Please adjust the affected versions in the BTS as needed.
The report is most probably correct. At least the safe option was
added in 3.37.1 [1] and so this vulnerability does not affect our
stable release which has the older, 3.34.1 version.
Cheers,
Laszlo/GCS
[1] https://www.sqlite.org/releaselog/3_37_1.html
On Sat, Dec 17, 2022 at 9:42 PM Salvatore Bonaccorso <car...@debian.org> wrote:
> CVE-2022-46908[0]:
> | SQLite through 3.40.0, when relying on --safe for execution of an
> | untrusted CLI script, does not properly implement the
> | azProhibitedFunctions protection mechanism, and instead allows UDF
> | functions such as WRITEFILE.
> Please adjust the affected versions in the BTS as needed.
added in 3.37.1 [1] and so this vulnerability does not affect our
stable release which has the older, 3.34.1 version.
Cheers,
Laszlo/GCS
[1] https://www.sqlite.org/releaselog/3_37_1.html
Salvatore Bonaccorso
Dec 18, 2022, 11:00:04 AM12/18/22
to
Hi László
Many thanks for the unstable upload and checking status for bullseye
and older.
Regards,
Salvatore
and older.
Regards,
Salvatore
0 new messages