CVE-2019-5018, Resolved Which Version?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2019-5018, Resolved Which Version?

Mike Nicolino
Apologies if this has been covered earlier, searched back through history and didn't find anything the answer.

I am trying to determine which version CVE-2019-5018 is resolved in.  The Talos post (https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777) references a vendor patch on 2019-03-28, but there's no SQLite release on that date.  My theory is that it is resolved in the 3.28 SQLite release (rather than on that date), but I'd like confirmation as the release notes for 3.27 and 3.28 don't reference it.

Thanks,
Mike Nicolino
Centrify Corporation

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-5018, Resolved Which Version?

Simon Slavin-3
On 5 Jun 2019, at 2:35am, Mike Nicolino <[hidden email]> wrote:

> My theory is that it is resolved in the 3.28 SQLite release (rather than on that date), but I'd like confirmation as the release notes for 3.27 and 3.28 don't reference it.

The only public comment about the fix seems to be here:

<https://latesthackingnews.com/2019/05/14/serious-sqlite-remote-code-execution-vulnerability-discovered/>

" The vendors subsequently patched the flaw with the release of the version 3.28.0. "

Another source, which I do not have permission to refer to publicly, says that this vulnerability was fixed in 3.28.0, described here:

<https://www.sqlite.org/releaselog/3_28_0.html>

From what I can see neither the vulnerability nor the fix were officially acknowledged by SQLite developers.  If you wish to test a SQLite version for a fix yourself, detailed discussion of the vulnerability with demonstration code can be found here:

<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-5018, Resolved Which Version?

Richard Hipp-3
In reply to this post by Mike Nicolino
On 6/4/19, Mike Nicolino <[hidden email]> wrote:
>
> I am trying to determine which version CVE-2019-5018 is resolved in.

It appears to be 3.28.0, as best as I can tell.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users