[sqlite-dev] Details for CVE-2015-3717, CVE-2015-3659
218 views
Skip to first unread message
Johannes Segitz
Jul 27, 2015, 5:35:05 AM7/27/15
to sqlit...@mailinglists.sqlite.org
Hello,
I hope I'm asking at the correct place, I couldn't find a security contact
for sqlite.
We track CVE-2015-3717 and CVE-2015-3659 since we ship sqlite. Both affect
OS X, but I couldn't find why it only affects this OS or what was changed
to fix the issue. Can you please point me to a patch for the issue so I can
research it myself? The publicly available details are unfortunately scant.
Thanks
Johannes
--
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG Nürnberg)
I hope I'm asking at the correct place, I couldn't find a security contact
for sqlite.
We track CVE-2015-3717 and CVE-2015-3659 since we ship sqlite. Both affect
OS X, but I couldn't find why it only affects this OS or what was changed
to fix the issue. Can you please point me to a patch for the issue so I can
research it myself? The publicly available details are unfortunately scant.
Thanks
Johannes
--
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG Nürnberg)
Richard Hipp
Jul 27, 2015, 6:24:43 AM7/27/15
to sqlit...@mailinglists.sqlite.org
On 7/27/15, Johannes Segitz <jse...@suse.com> wrote:
> Hello,
>
> I hope I'm asking at the correct place, I couldn't find a security contact
> for sqlite.
>
> We track CVE-2015-3717 and CVE-2015-3659 since we ship sqlite. Both affect
> OS X, but I couldn't find why it only affects this OS or what was changed
> to fix the issue. Can you please point me to a patch for the issue so I can
> research it myself? The publicly available details are unfortunately scant.
>
We have no additional information on these reports. We didn't even
> Hello,
>
> I hope I'm asking at the correct place, I couldn't find a security contact
> for sqlite.
>
> We track CVE-2015-3717 and CVE-2015-3659 since we ship sqlite. Both affect
> OS X, but I couldn't find why it only affects this OS or what was changed
> to fix the issue. Can you please point me to a patch for the issue so I can
> research it myself? The publicly available details are unfortunately scant.
>
know they existed until we saw Reinhard's email a few moments ago.
Dan suggests that both problems might be fixed by
https://www.sqlite.org/src/info/8e4ac2ce24415926 and that the -3659
report comes about because Apple's authorizer callback allows
statements like "SQLITE printf()" to get through. Probably the patch
above does at least address -3717. But that's only a guess.
--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-dev mailing list
sqlit...@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-dev
Reply all
Reply to author
Forward
0 new messages