Hi Salvatore, On Tue, Jun 11, 2019 at 6:18 AM Salvatore Bonaccorso <car...@debian.org> wrote: > On Mon, Jun 10, 2019 at 05:06:07PM +0000, Debian Bug Tracking System wrote: > > sqlite3 (3.27.2-3) unstable; urgency=high > > . > > * Backport security related patches: > [...] > > - prevent aliases of window functions expressions from being used as > > arguments to aggregate or other window functions (probably fixing > > CVE-2019-5018) (closes: #928770), > > Did you got any upstream confirmation or from TALOS project that this > one was the right fixes to pick for the CVE-2019-5018 issue? I can't find a contact method for TALOS project. Upstream says they don't know what's CVE-2019-5018 but I can assemble the PoC from the TALOS report page. As they know / read the issue it is fixed in sqlite3 3.28.0 and I should use that - being tested in every sense by their closed source detailed test cases. But upstream says that the commit (I've used for the package) is a good to have fix for window functions. Then it was asked publicly again and all that upstream say about which version / commit fixes this: "it appears to be 3.28.0, as best as I can tell"[1]. Anyone can interpret this as s/he would like. :-/
Regards, Laszlo/GCS [1] https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg115515.html
