Hi! On Tue, Jun 11, 2019 at 07:24:06AM +0200, László Böszörményi (GCS) wrote: > Hi Salvatore, > > On Tue, Jun 11, 2019 at 6:18 AM Salvatore Bonaccorso <car...@debian.org> > wrote: > > On Mon, Jun 10, 2019 at 05:06:07PM +0000, Debian Bug Tracking System wrote: > > > sqlite3 (3.27.2-3) unstable; urgency=high > > > . > > > * Backport security related patches: > > [...] > > > - prevent aliases of window functions expressions from being used as > > > arguments to aggregate or other window functions (probably fixing > > > CVE-2019-5018) (closes: #928770), > > > > Did you got any upstream confirmation or from TALOS project that this > > one was the right fixes to pick for the CVE-2019-5018 issue? > I can't find a contact method for TALOS project. Upstream says they > don't know what's CVE-2019-5018 but I can assemble the PoC from the > TALOS report page. As they know / read the issue it is fixed in > sqlite3 3.28.0 and I should use that - being tested in every sense by > their closed source detailed test cases. > But upstream says that the commit (I've used for the package) is a > good to have fix for window functions. > Then it was asked publicly again and all that upstream say about which > version / commit fixes this: "it appears to be 3.28.0, as best as I > can tell"[1]. Anyone can interpret this as s/he would like. :-/
Okay, very sad that this is so much intransparent from upstream. Thanks for your research and try of contact! Regards, Salvatore
