Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libsqlite3-sys 0.24 has a CVE and needs to be upgraded #2350

Closed
nstinus opened this issue Feb 15, 2023 · 4 comments
Closed

libsqlite3-sys 0.24 has a CVE and needs to be upgraded #2350

nstinus opened this issue Feb 15, 2023 · 4 comments
Labels
bug

Comments

@nstinus
Copy link
Contributor

nstinus commented Feb 15, 2023

Bug Description

A CVE was posted on libsqlite3-sys <0.25:

error[vulnerability]: `libsqlite3-sys` via C SQLite CVE-2022-35737
    ┌─ /n/nvme1/nstinus/src/givre/Cargo.lock:130:1
    │                
130 │ libsqlite3-sys 0.24.2 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------------------- security vulnerability detected
    │                 
    = ID: RUSTSEC-2022-0090                                                                                                                       
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0090
    = It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's `printf` function.
       
      As `libsqlite3-sys` bundles SQLite, it is susceptible to the vulnerability. `libsqlite3-sys` was updated to bundle the patched version of SQLite [here](https://github.com/rusqlite/rusqlite/releases/tag/sys0.25.1).
    = Announcement: https://nvd.nist.gov/vuln/detail/CVE-2022-35737
    = Solution: Upgrade to >=0.25.1
    = libsqlite3-sys v0.24.2
      └── sqlx-core v0.6.2
          ├── sqlx v0.6.2
          │   └── klb-givre-rime v0.11.0
          └── sqlx-macros v0.6.2
              └── sqlx v0.6.2 (*)

Minimal Reproduction

Configure a project with sqlx and invoke cargo deny.

Info

  • SQLx version: 0.6.2
  • SQLx features enabled: sqlite
  • Database server and version: sqlite 3.40.1
  • Operating system: centos 7
  • rustc --version: rustc 1.67.1 (d5a82bbd2 2023-02-07)
@nstinus nstinus added the bug label Feb 15, 2023
@CosmicHorrorDev
Copy link
Contributor

This has already been updated on the 0.7-dev branch. It can't be fixed in 0.6.x because updating libsqlite-sys is currently a breaking change

@nstinus
Copy link
Contributor Author

nstinus commented Feb 16, 2023

Why is that a breaking change for the 0.6 branch? I could not find anything in libsqlite3-sys or SQLite release notes that hint at a break.

@CosmicHorrorDev
Copy link
Contributor

See this comment

#2094 (comment)

@nstinus
Copy link
Contributor Author

nstinus commented Feb 16, 2023

Fair enough. Thank you.

@nstinus nstinus closed this as completed Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nstinus @CosmicHorrorDev