SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. Reference: https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c Upstream commit: https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
Created mingw-sqlite tracking bugs for this issue: Affects: fedora-all [bug 1824176] Created sqlite2 tracking bugs for this issue: Affects: epel-all [bug 1824175] Affects: fedora-all [bug 1824177] Created sqlite3 tracking bugs for this issue: Affects: fedora-all [bug 1824178]
Why do I still get auto-Cc-ed for SQLite security flaws? I'm no longer a package maintainer of sqlite2 (for quite some time already), nor am I (co-)maintaining sqlite itself.
In reply to comment #2: > Why do I still get auto-Cc-ed for SQLite security flaws? I'm no longer a > package maintainer of sqlite2 (for quite some time already), nor am I > (co-)maintaining sqlite itself. This is because you still are the default assignee for the sqlite2 component in Fedora EPEL.
It seems like this issue existed since sqlite-3.25.0, when window function (https://www.sqlite.org/windowfunctions.html) was added, but it lead to segmentation fault after https://www3.sqlite.org/cgi/src/info/712e47714863a8ed was committed, which could result in denial of service. This commit is a part of sqlite-3.30 release. Therefore previous versions are not vulnerable to this flaw.
Statement: It seems like this issue existed since sqlite-3.25.0, when window function (https://www.sqlite.org/windowfunctions.html) was added, but it lead to segmentation fault after https://www3.sqlite.org/cgi/src/info/712e47714863a8ed was committed, which could result in denial of service. This commit is a part of sqlite-3.30 release. Therefore previous versions are not vulnerable to this flaw.
Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1840140]