[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ MDVSA-2015:217 ] sqlite3



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:217
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : sqlite3
 Date    : April 30, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in sqlite3:
 
 SQLite before 3.8.9 does not properly implement the dequoting of
 collation-sequence names, which allows context-dependent attackers to
 cause a denial of service (uninitialized memory access and application
 crash) or possibly have unspecified other impact via a crafted COLLATE
 clause, as demonstrated by COLLATE at the end of a SELECT statement
 (CVE-2015-3414).
 
 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9
 does not properly implement comparison operators, which allows
 context-dependent attackers to cause a denial of service (invalid
 free operation) or possibly have unspecified other impact via a
 crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE
 TABLE statement (CVE-2015-3415).
 
 The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does
 not properly handle precision and width values during floating-point
 conversions, which allows context-dependent attackers to cause a
 denial of service (integer overflow and stack-based buffer overflow)
 or possibly have unspecified other impact via large integers in a
 crafted printf function call in a SELECT statement (CVE-2015-3416).
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
 https://bugzilla.redhat.com/show_bug.cgi?id=1212353
 https://bugzilla.redhat.com/show_bug.cgi?id=1212356
 https://bugzilla.redhat.com/show_bug.cgi?id=1212357
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 adb7e2731d814af7948c8a65662e7c71  mbs1/x86_64/lemon-3.8.9-1.mbs1.x86_64.rpm
 8c9620460c62d0f7d07bd5fee68ac038  mbs1/x86_64/lib64sqlite3_0-3.8.9-1.mbs1.x86_64.rpm
 f060fd3ca68302f59e47e9bc1b336d4b  mbs1/x86_64/lib64sqlite3-devel-3.8.9-1.mbs1.x86_64.rpm
 0fdd2e8a7456b51773b2a131534b9867  mbs1/x86_64/lib64sqlite3-static-devel-3.8.9-1.mbs1.x86_64.rpm
 14682c0d09a3dc73f4405ee136c6115d  mbs1/x86_64/sqlite3-tcl-3.8.9-1.mbs1.x86_64.rpm
 c2fc81b9162865ecdcef85aaa805507f  mbs1/x86_64/sqlite3-tools-3.8.9-1.mbs1.x86_64.rpm 
 474e6b9bc6a7299f8ab34a90893bbd96  mbs1/SRPMS/sqlite3-3.8.9-1.mbs1.src.rpm

 Mandriva Business Server 2/X86_64:
 44c4a002a3480388751603981327a21d  mbs2/x86_64/lemon-3.8.9-1.mbs2.x86_64.rpm
 9d2ded51447e5f133c37257635ef4f22  mbs2/x86_64/lib64sqlite3_0-3.8.9-1.mbs2.x86_64.rpm
 42c8fce0126487fa0a72b4f5f1b5e852  mbs2/x86_64/lib64sqlite3-devel-3.8.9-1.mbs2.x86_64.rpm
 a93c0f348006f6675779bf7cd5c9f547  mbs2/x86_64/lib64sqlite3-static-devel-3.8.9-1.mbs2.x86_64.rpm
 792f42a7a38d7947e7b5d0ea67510de2  mbs2/x86_64/sqlite3-tcl-3.8.9-1.mbs2.x86_64.rpm
 947e30fcb8c4f19b1398d6e29adc29ac  mbs2/x86_64/sqlite3-tools-3.8.9-1.mbs2.x86_64.rpm 
 150cb2acc870d5ca8a343f21edef4248  mbs2/SRPMS/sqlite3-3.8.9-1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVQdZEmqjQ0CJFipgRAvj9AJ9qeo094/bpIyYh46OHXWO6W26qUACg4mCP
t5Ka/OioHfZ/AmIloxds0/s=
=X45P
-----END PGP SIGNATURE-----