Marius Bakke <mba...@fastmail.com> writes: > Hello! > > There is allegedly a remote code execution bug in all versions of SQLite > prior to 3.26.0: <https://blade.tencent.com/magellan/index_en.html>. > > I think it is safe to graft 3.26.0 in-place: > > $ abidiff > /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so > /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so > Functions changes summary: 0 Removed, 0 Changed, 0 Added function > > Variables changes summary: 0 Removed, 0 Changed, 0 Added variable > > Function symbols changes summary: 0 Removed, 1 Added function symbol not > referenced by debug info > Variable symbols changes summary: 0 Removed, 0 Added variable symbol not > referenced by debug info > > 1 Added function symbol not referenced by debug info: > > > sqlite3_create_window_function > > ...but I have not tested this. It's difficult to tell which patches to > apply without knowing more details of the vulnerability. > > I am currently building a branch that adds a "static" output for > SQLite in order to catch users of libsqlite3.a. Can we start this on > Berlin concurrently? Patches attached.
Perhaps it's better to start over 'staging' with the new SQLite in the mean time? Hydra didn't get too far yet. It does not add a lot to the current rebuild count.
signature.asc
Description: PGP signature