[Sorry for the late reply, but I enjoyed a nice long weekend except for the sunburns. I kept the wider Cc:s since it feels like this can be opened.]
On Sat, Jul 01, 2017 at 12:52:54PM +0200, Even Rouault wrote: > Seth, I can turn the Launchpad bug report as public if you wish. I > marked it privately if Ubuntu felt it was better. I don't care that much > about disclosing it publicly. Aha, I wasn't certain we were allowed to mark it public yet. I don't want to upset anyone needlessly, but it would be easier to discuss the bug in public. (Especially since it appears to be 'just' out-of-bound reads. This can of course be surprising and have non-obvious consequences, but it doesn't immediately lead to e.g. remote code execution.) Does this issue sound like it should receive a CVE to ensure other consumers of sqlite3 discover it? I'm happy to do the paperwork if so. On Sat, Jul 01, 2017 at 11:28:10AM -0400, Richard Hipp wrote: > A proper fix for the problem can be seen at > https://sqlite.org/src/info/66de6f4a Now this is short and sweet. I like the look of this patch quite a lot more than the start of the larger transformation. On Sat, Jul 01, 2017 at 05:40:57PM +0200, Even Rouault wrote: > > The plain ASCII patch can be seen at > > https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26 > > I've just applied this patch on top of 3.11.0. It applies cleanly > > patching file ext/rtree/rtree.c > Hunk #1 succeeded at 3153 (offset -282 lines). > patching file ext/rtree/rtreeA.test > > and I confirm that it solves the issue ! Very good news! Thank you both.
signature.asc
Description: PGP signature
_______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users