PublicDateAtUSN: 2015-04-24 Candidate: CVE-2015-3416 PublicDate: 2015-04-24 17:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416 http://seclists.org/fulldisclosure/2015/Apr/31 https://ubuntu.com/security/notices/USN-2698-1 Description: The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. Ubuntu-Description: Notes: msalvatore> Some patches from the fix can be applied to the sqlite package. Marking this as needed. Bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783968 Priority: low Discovered-by: Michal Zalewski Assigned-to: mdeslaur CVSS: Patches_sqlite: upstream_sqlite: released (3.8.9) lucid_sqlite: ignored (reached end-of-life) precise_sqlite: ignored (reached end-of-life) precise/esm_sqlite: DNE (precise was needs-triage) trusty_sqlite: ignored (out of standard support) trusty/esm_sqlite: needed utopic_sqlite: ignored (reached end-of-life) vivid_sqlite: ignored (reached end-of-life) vivid/stable-phone-overlay_sqlite: DNE vivid/ubuntu-core_sqlite: DNE wily_sqlite: ignored (reached end-of-life) xenial_sqlite: ignored (end of standard support, was needed) yakkety_sqlite: ignored (reached end-of-life) zesty_sqlite: ignored (reached end-of-life) artful_sqlite: ignored (reached end-of-life) bionic_sqlite: needed cosmic_sqlite: ignored (reached end-of-life) disco_sqlite: ignored (reached end-of-life) eoan_sqlite: ignored (reached end-of-life) focal_sqlite: needed groovy_sqlite: ignored (reached end-of-life) hirsute_sqlite: ignored (reached end-of-life) impish_sqlite: needed jammy_sqlite: needed devel_sqlite: needed Patches_sqlite3: upstream: http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920 upstream: https://www.sqlite.org/src/info/aeca95ac77f6f320 upstream_sqlite3: released (3.8.9) lucid_sqlite3: ignored (reached end-of-life) precise_sqlite3: released (3.7.9-2ubuntu1.2) precise/esm_sqlite3: released (3.7.9-2ubuntu1.2) trusty_sqlite3: released (3.8.2-1ubuntu2.1) trusty/esm_sqlite3: released (3.8.2-1ubuntu2.1) utopic_sqlite3: ignored (reached end-of-life) vivid_sqlite3: released (3.8.7.4-1ubuntu0.1) vivid/stable-phone-overlay_sqlite3: released (3.8.7.4-1ubuntu0.1) vivid/ubuntu-core_sqlite3: released (3.8.7.4-1ubuntu0.1) wily_sqlite3: not-affected (3.8.10.2-1) xenial_sqlite3: not-affected (3.8.10.2-1) esm-infra/xenial_sqlite3: not-affected (3.8.10.2-1) yakkety_sqlite3: not-affected (3.8.10.2-1) zesty_sqlite3: not-affected (3.8.10.2-1) artful_sqlite3: not-affected (3.8.10.2-1) bionic_sqlite3: not-affected (3.8.10.2-1) cosmic_sqlite3: not-affected (3.8.10.2-1) disco_sqlite3: not-affected (3.8.10.2-1) eoan_sqlite3: not-affected (3.8.10.2-1) focal_sqlite3: not-affected (3.8.10.2-1) groovy_sqlite3: not-affected (3.8.10.2-1) hirsute_sqlite3: not-affected (3.8.10.2-1) impish_sqlite3: not-affected (3.8.10.2-1) jammy_sqlite3: not-affected (3.8.10.2-1) devel_sqlite3: not-affected (3.8.10.2-1)