Re: Information on recent sqlite3 issues?

[Nicholas Luedtke <nsl () hpe com>]

On 06/01/2017 07:14 AM, Kurt Seifried wrote:
> I will bring this up at the next cve board meeting (2 weeks from now).
>
>
> -Kurt
Thanks Kurt, its worth noting this happens often with libxml as well.

> > On Jun 1, 2017, at 00:20, Johannes Segitz <jsegitz () suse de> wrote:
> >
> > > On Thu, Jun 01, 2017 at 12:24:10AM +0200, Andreas Stieger wrote:
> > > Hello,
> > >
> > >
> > > > On 05/31/2017 10:30 PM, Moritz Muehlenhoff wrote:
> > > > one of the latest Apple advisories mentions several vulnerabilities in sqlite:
> > > > https://support.apple.com/en-us/HT207798
> > > >
> > > > CVE-2017-2513: found by OSS-Fuzz
> > > > CVE-2017-2518: found by OSS-Fuzz
> > > > CVE-2017-2520: found by OSS-Fuzz
> > > > CVE-2017-2519: found by OSS-Fuzz
> > > > CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
> > > > CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
> > > >
> > > > Does anyone have additional information on those and whether that
> > > > applies to the standard sqlite releases or Apple-specific changes?
> > > SUSE has asked Apple, but has not yet received an answer as far as I am
> > > aware.
> > They replied:
> >
> > > Thank you for contacting the Apple Product Security team.
> > >
> > > Please contact the SQLite maintainers to coordinate.
> > I think it is problematic that they assign CVEs but don't provice any
> > details even if it's not only their code. I contacted the sqlite-devs for
> > details but didn't receive a reply up to this point.
> >
> > Johannes

-- 
Nicholas Luedtke
HPE Linux Security, Hewlett-Packard Enterprise

Attachment: signature.asc
Description: OpenPGP digital signature