Hi László,

On Tue, Apr 08, 2025 at 10:52:11PM +0200, László Böszörményi (GCS) wrote:
> Control: found -1 3.44.0-1
> Control: fixed -1 3.49.1
> Control: forwarded -1 https://sqlite.org/src/info/498e3f1cf57f164f
> Control: tags -1 +patch +fixed-upstream
> 
> Hi,
> 
> On Tue, Apr 8, 2025 at 9:51 PM Salvatore Bonaccorso <[email protected]> wrote:
> > The following vulnerability was published for sqlite3.
> >
> > CVE-2025-29087[0]:
> > | Sqlite 3.49.0 is susceptible to integer overflow through the concat
> > | function.
>  This is zero information. :( I add what I know from upstream. This
> bug is introduced in upstream version 3.44.0 (doesn't affect our
> stable releases as those are older ones). The actual vulnerability is
> in the concat_ws() function, which can cause a memory error if the
> separator string is very large (hundreds of megabytes). The fix is
> already in place and a small one. I plan to upload it tomorrow
> afternoon.

Thank you very much for provinding this additional information. Yes
the CVE entry iself was with so little information. Thanks for
updating the tracker accordingly.

> Hope this helps,

Yes it does :)

Regards,
Salvatore

Reply via email to