Your message dated Sun, 14 Jun 2026 07:33:36 +0000
with message-id <[email protected]>
and subject line Bug#1139960: fixed in sqlite3 3.53.2-1
has caused the Debian Bug report #1139960,
regarding sqlite3: CVE-2026-11822 CVE-2026-11824
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139960
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sqlite3
Version: 3.46.1-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi Laszlo,
The following vulnerabilities were published for sqlite3.
Can you help assess them please, info on two CVEs below hich carry the
same fixes references in the database:
CVE-2026-11822[0]:
| SQLite before 3.53.2 contains memory corruption vulnerabilities in
| the FTS5 full-text search extension that allow attackers to cause
| process crashes, memory exhaustion, or arbitrary code execution by
| supplying a crafted database with malformed FTS5 page data.
| Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an
| attacker-controlled loop bound and a heap buffer overflow write in
| fts5ChunkIterate() through a crafted continuation page causing an
| integer underflow, exploitable when an FTS5 MATCH query is executed
| against the malicious database.
CVE-2026-11824[1]:
| SQLite before 3.53.2 contains a heap-based buffer overflow
| vulnerability in the FTS5 full-text search extension that allows
| attackers to cause a crash or execute arbitrary code by supplying a
| crafted database with malicious continuation page metadata
| specifying a szLeaf value smaller than 4. Attackers can trigger an
| integer underflow in fts5ChunkIterate() causing an inflated
| remaining byte count during FTS5 MATCH query processing, leading to
| a heap buffer overflow of attacker-controlled data in applications
| compiled with SQLITE_ENABLE_FTS5.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-11822
https://www.cve.org/CVERecord?id=CVE-2026-11822
[1] https://security-tracker.debian.org/tracker/CVE-2026-11824
https://www.cve.org/CVERecord?id=CVE-2026-11824
[2] https://sqlite.org/src/info/061febcf41ca
[3] https://sqlite.org/src/info/4a5ad516ea93
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sqlite3
Source-Version: 3.53.2-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jun 2026 21:08:12 +0200
Source: sqlite3
Architecture: source
Version: 3.53.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1139960
Changes:
sqlite3 (3.53.2-1) unstable; urgency=high
.
* New upstream release (closes: #1139960):
- fixes CVE-2026-11822: memory corruption vulnerabilities in the FTS5
full-text search extension,
- fixes CVE-2026-11824: heap-based buffer overflow vulnerability in the
FTS5 full-text search extension.
* Remove sqlite3JsonTableFunctions@Base, sqlite3TriggerStepSrc@Base and
sqlite3VdbeCheckFk@Base symbols as no longer part of the library.
* Update symbols file.
* Update watch file.
Checksums-Sha1:
474fd9cf4d7c3c8e6305965021cf10cb8a4cf48c 2641 sqlite3_3.53.2-1.dsc
2a88be57df377a42943de7eb6aa2b92e49dbf628 6328772 sqlite3_3.53.2.orig-www.tar.xz
6a92ed937f019c60f4819aa5770d9ae56c0f3883 8640640 sqlite3_3.53.2.orig.tar.xz
f0c641f9d6c35810430398af0167af5e463c343f 30948 sqlite3_3.53.2-1.debian.tar.xz
Checksums-Sha256:
295853433f8d85267b0a8a085b52d0291b777f30843b071093ccb63841280d1c 2641
sqlite3_3.53.2-1.dsc
11dd07d00afa97d4e6f8030b1fabc6f60879df6b19791d2972159605b9344ad2 6328772
sqlite3_3.53.2.orig-www.tar.xz
63fac4ada4b24ea9b172da98268d2c96e0ac99ef66e94fbc1eb7ed46826a248c 8640640
sqlite3_3.53.2.orig.tar.xz
996993db516fd37ca96ced2cfd0267636f34f61c03a91607da64a52b964b307d 30948
sqlite3_3.53.2-1.debian.tar.xz
Files:
302de37dc91e1b75fa0be481749ffc05 2641 devel optional sqlite3_3.53.2-1.dsc
c7dbbac54f6ba8c18231f30a192c0a12 6328772 devel optional
sqlite3_3.53.2.orig-www.tar.xz
9560676f99a087eb14978662d2773418 8640640 devel optional
sqlite3_3.53.2.orig.tar.xz
21862fd594979ddc453ef97d58a3fdb4 30948 devel optional
sqlite3_3.53.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmouT2IACgkQ3OMQ54ZM
yL+QYg/+LVBoXPKxNRyLnL87wsK+k6kfw1UQew+0u9KvsP3h2iESVquAGoUEhgfg
Bq8jcyQ+oNjbvZ1AL+lFPPIt04opv8plkOkGmPHNs1oBpiiycpENT7lIlj9BRW6G
NxZLsUMtktbsX+aGOSbVQCiXYFW/7eHKKkVQaCe7N6cZWxmpHUamw9S2TWIH3yWB
usmZBrJldV58pXLgM7qKvMbOIC8b0KyVyeZv7hCkKedTDP0D5iH9HAmkO3U2M28u
xkGC7y9tpZYqyyPVHhOAG0AkjHQ4MI8AOLVDWZU86A16B4VfxkdypFx5zZPbg0bU
XFzCgM4umlptDSJR2muWyENC4qzuW4gt0bIA+jogleB6s50Er5x25FyxjSPQKcoH
dzJygza948kujajR8P7KS2wCj6Z7UxLGI7drLfJ/pdpBqYntdX3Zvih9R/YmW5oG
M50EjsM/3O2f641/cIodSn0p+AYXBRca6TGKKmkRYW+6VEwjazsQxl1fYcuC0KOb
3a5AMvByoraeITYTM3i4R4kG6W5Vdw75qJydmgTXgXUy/6vPpgCjuTCsXc+awHSs
QoAbMPzvgtDURUDl69Vv1dNhSptkD8NNq7PEkClE/N5KsSu/Yt6rn38osOeHcIXK
mEr+teEvKOgd2B/1od9P5XnD4VDVVVzhorqUd2QvHIMaokh0TIQ=
=K+/i
-----END PGP SIGNATURE-----
pgpU6uwaTXl45.pgp
Description: PGP signature
--- End Message ---
