subject:"\[sqlite\] CVE\-2019\-19317"

Re: [sqlite] CVE-2019-19317

2019-12-15 Thread Gary R. Schmidt


On 15/12/2019 10:16, Yongheng Chen wrote:

When we report the bugs, we said that they were from 3.31 version, but people 
in mitre changed them to 3.30.1. We just reported what we found. And the commit 
we reported in the bug report is referencing to the official GitHub repo.

Of course the people at Mitre changed the version number, they do not 
create a CVE for *unreleased* software.


It has already been pointed out that GitHub is not the official 
repository, it is a mirror.
You should be using the Fossil repository to test unreleased versions, 
which means you will get the latest version.


Also, reporting bugs here (or to sqlite-dev) would be the polite thing 
to do, as it gives the developers a chance to fix things before the 
software gets released, rather than causing a CVE to be generated, for a 
problem that does not yet exist in the real world.


And it means that I (and others) won't be having to answer email from 
customers on Monday (their time) and Tuesday (my time) where they are in 
a complete panic because they've discovered[1] that a CVE has been 
raised on a component of the products, and, "Oh, no, the sky is falling, 
what shall we do, what shall we do?!?!?!"


Cheers,
GaryB-)

1 - Yes, they're smart enough to troll the CVE lists looking for 
problems, but not smart enough to evaluate the possible effects of the 
problem.

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

2019-12-14 Thread Simon Slavin

On 14 Dec 2019, at 11:16pm, Yongheng Chen  wrote:

> When we report the bugs, we said that they were from 3.31 version, but people 
> in mitre changed them to 3.30.1. We just reported what we found. And the 
> commit we reported in the bug report is referencing to the official GitHub 
> repo. 
> 
> Bugs are found in the latest version

I need to clarify this for you, because the difference is important.

The version of SQLite you tested was never released.  It was not version 
3.30.1.  It was not version 3.31.  It was no version at all.  The version you 
downloaded was a work in progress.  The programmers were still working on it.

There is no point in reporting bugs in such a version to CVE.  Becausee CVE 
requires a version number to report bugs and that version of SQLite does not 
have a version number.

However, your work is important.  If you would like the current version of 
SQLite to test, please download it from this page.  Do not depend on a version 
in GITHUB.  This may not be an official copy.

You will find two copies of SQLite there:

At the top you will find "Pre-release Snapshots".  These are not released.  
They do not have a version number.  Nobody should be using it.  It is there so 
that people can look at new features and recent bug-fixes.  If you find a bug 
in this version, please report it by posting here, including the name of the 
download (e.g. "sqlite-snapshot-201911192122.tar.gz").  The developers will 
thank you for your work and correct the bug before that version is released.

Lower down you will find "Source Code".  This version has been released.  It 
has a version number.  People might be using it.  If you find a bug in this 
version please report it here as above.  But you could also report it elsewhere 
if you want, since you will be able to report which version the bug affects.

Thank you for your help.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

2019-12-14 Thread Yongheng Chen

When we report the bugs, we said that they were from 3.31 version, but people 
in mitre changed them to 3.30.1. We just reported what we found. And the commit 
we reported in the bug report is referencing to the official GitHub repo. 

Bugs are found in the latest version, because there are so many bugs in the 
release version that are already been fixed in the development code. So there’s 
no point finding bugs in release version, as we have to verify whether the 
latest code still has such bug anyway. Some bugs we found can reproduced in the 
release version, with slight change in the test case, but when we asked the 
developer to confirm them again. We didn’t get reply as they had been fixed in 
the developing version after we reported them. 

> On Dec 14, 2019, at 5:41 PM, Richard Hipp  wrote:
> 
> On 12/14/19, Raitses, Alex  wrote:
>> Hello,
>> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was
>> submitted on SQLite.
>> As far as I can see the patch is already submitted. Can you confirm please?
>> Do you have estimation for the fixed version release?
> 
> 
> This CVE appears to reference a bug in an unreleased development
> version of SQLite only.  The bug has never appeared in any official
> release version of SQLite, as far as I can tell.  So there is nothing
> to fix.
> 
> The CVE is from a third-party, not one of the SQLite developers.
> There was no coordination between the CVE authors and the SQLite
> developers.
> 
> SQLite is open-source.  Anybody can download our latest development
> code and run fuzzers or other tests against it.  Sometimes those
> people find issues in unreleased code and write CVEs against them,
> even though the problem has never appeared in any release.
> 
> One clue that this is a third-party CVE that does not have the
> endorsement of the SQLite developers is that it references a GitHub
> mirror of the source-code repository, rather than the official Fossil
> source-code repository.  The developers would never do that.
> 
> -- 
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

2019-12-14 Thread Richard Hipp

On 12/14/19, Raitses, Alex  wrote:
> Hello,
> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was
> submitted on SQLite.
> As far as I can see the patch is already submitted. Can you confirm please?
> Do you have estimation for the fixed version release?

This CVE appears to reference a bug in an unreleased development
version of SQLite only.  The bug has never appeared in any official
release version of SQLite, as far as I can tell.  So there is nothing
to fix.

The CVE is from a third-party, not one of the SQLite developers.
There was no coordination between the CVE authors and the SQLite
developers.

SQLite is open-source.  Anybody can download our latest development
code and run fuzzers or other tests against it.  Sometimes those
people find issues in unreleased code and write CVEs against them,
even though the problem has never appeared in any release.

One clue that this is a third-party CVE that does not have the
endorsement of the SQLite developers is that it references a GitHub
mirror of the source-code repository, rather than the official Fossil
source-code repository.  The developers would never do that.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

2019-12-14 Thread Shawn Wagner

Addendum: I suspect it's the one mentioned as being filed in this earlier
thread:
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg117794.html


On Sat, Dec 14, 2019, 2:12 PM Shawn Wagner  wrote:

> This appears to be a CVE pertaining to a feature that hasn't even been
> released yet (generated columns will be in the upcoming 3.31; they're
> certainly not in the referenced 3.30.1). Unless you're using the
> development snapshot from the download page or following trunk on fossil
> and haven't updated in a while, it sounds like a complete non-issue.
>
> On Sat, Dec 14, 2019, 1:36 PM Raitses, Alex 
> wrote:
>
>> Hello,
>> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was
>> submitted on SQLite.
>> As far as I can see the patch is already submitted. Can you confirm
>> please?
>> Do you have estimation for the fixed version release?
>>
>>
>> Thanks in advance,
>> Regards,
>> Alex
>>
>> -
>> Intel Israel (74) Limited
>>
>> This e-mail and any attachments may contain confidential material for
>> the sole use of the intended recipient(s). Any review or distribution
>> by others is strictly prohibited. If you are not the intended
>> recipient, please contact the sender and delete all copies.
>> ___
>> sqlite-users mailing list
>> sqlite-users@mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

2019-12-14 Thread Shawn Wagner

This appears to be a CVE pertaining to a feature that hasn't even been
released yet (generated columns will be in the upcoming 3.31; they're
certainly not in the referenced 3.30.1). Unless you're using the
development snapshot from the download page or following trunk on fossil
and haven't updated in a while, it sounds like a complete non-issue.

On Sat, Dec 14, 2019, 1:36 PM Raitses, Alex  wrote:

> Hello,
> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was
> submitted on SQLite.
> As far as I can see the patch is already submitted. Can you confirm please?
> Do you have estimation for the fixed version release?
>
>
> Thanks in advance,
> Regards,
> Alex
>
> -
> Intel Israel (74) Limited
>
> This e-mail and any attachments may contain confidential material for
> the sole use of the intended recipient(s). Any review or distribution
> by others is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] CVE-2019-19317

2019-12-14 Thread Raitses, Alex

Hello,
CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was submitted 
on SQLite.
As far as I can see the patch is already submitted. Can you confirm please?
Do you have estimation for the fixed version release?


Thanks in advance,
Regards,
Alex

-
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] CVE-2019-19317

Re: [sqlite] CVE-2019-19317

Re: [sqlite] CVE-2019-19317

Re: [sqlite] CVE-2019-19317

Re: [sqlite] CVE-2019-19317

Re: [sqlite] CVE-2019-19317

[sqlite] CVE-2019-19317

7 matches

Site Navigation

Mail list logo

Footer information