Red Hat Bugzilla – Bug 1469672
CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
Last modified: 2017-09-12 11:33:56 EDT
The getNodeSize function in ext/rtree/rtree.c in SQLite mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
Created mingw-sqlite tracking bugs for this issue:
Affects: epel-7 [bug 1469674]
Affects: fedora-all [bug 1469676]
Created sqlite tracking bugs for this issue:
Affects: fedora-all [bug 1469673]
Created sqlite2 tracking bugs for this issue:
Affects: epel-all [bug 1469677]
Affects: fedora-all [bug 1469675]
This seems to only affect sqlite versions older than 3.17 as, according to the sqlite developers and the reporter of the Ubuntu bug, the issue has been indirectly fixed in version 3.17.
For later versions the patch serves only to detect the issue earlier and to provide the user with a more useful error message.