SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. Upstream commit: https://www.sqlite.org/src/info/90acdbfce9c08858
Created sqlite3 tracking bugs for this issue: Affects: fedora-all [bug 1716883] Created sqlite3-dbf tracking bugs for this issue: Affects: fedora-all [bug 1716884]
Created sqlite3-dbf tracking bugs for this issue: Affects: epel-all [bug 1716885]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1719121]
(In reply to Product Security DevOps Team from comment #3) > This CVE Bugzilla entry is for community support informational purposes only > as it does not affect a package in a commercially supported Red Hat product. > Refer to the dependent bugs for status of those individual community > products. Does this mean the sqlite version 3.7.17 is not impacted?
Hello, is sqlite version 3.7.17 affected by this issue? From my investigation, the upstream patch is not applicable on rhel-7, as it does not support sqlite3 objects and I do not have reproducer for this bug to test if there is a real problem. If it is not affected, can we close this bug? Thank you.
Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0: https://github.com/sqlite/sqlite/commit/e41fd72acc7a06ce5a6a7d28154db1ffe8ba37a8
Is there an ETA to when the upstream fix in 3.28.0 will be picked up or if a patch will be made available for 3.7.17? This was reported in June and fixed in other OS distributions like Debian Buster. Is there any reason why this has not been actioned yet?
Patch for this issue is already in testing for rhel-8. According to very problematic application of this patch on rhel-7, we have decided not to apply this patch on rhel-7.9 due to risk of instability, as rhel-7.9 should contain only critical and high priority issues.
Thanks for the information @Ondrej! Is there any plan to patch this in rhel-7 at any point?
If there will be any urgent issue from customer to resolve this issue, we might consider fixing it. But currently there is no plan to resolve it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1810 https://access.redhat.com/errata/RHSA-2020:1810
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-8457