Hi László, On Tue, Apr 08, 2025 at 10:52:11PM +0200, László Böszörményi (GCS) wrote: > Control: found -1 3.44.0-1 > Control: fixed -1 3.49.1 > Control: forwarded -1 https://sqlite.org/src/info/498e3f1cf57f164f > Control: tags -1 +patch +fixed-upstream > > Hi, > > On Tue, Apr 8, 2025 at 9:51 PM Salvatore Bonaccorso <[email protected]> wrote: > > The following vulnerability was published for sqlite3. > > > > CVE-2025-29087[0]: > > | Sqlite 3.49.0 is susceptible to integer overflow through the concat > > | function. > This is zero information. :( I add what I know from upstream. This > bug is introduced in upstream version 3.44.0 (doesn't affect our > stable releases as those are older ones). The actual vulnerability is > in the concat_ws() function, which can cause a memory error if the > separator string is very large (hundreds of megabytes). The fix is > already in place and a small one. I plan to upload it tomorrow > afternoon.
Thank you very much for provinding this additional information. Yes the CVE entry iself was with so little information. Thanks for updating the tracker accordingly. > Hope this helps, Yes it does :) Regards, Salvatore

