Tuesday, August 02, 2022

UPDATE: databases/sqlite3

Here is an update to SQLite 3.39.2, which includes a fix for
CVE-2022-35737.

Commentary from https://www.sqlite.org/cves.html:

This bug is an array-bounds overflow. The bug is only accessible
when using some of the C-language APIs provided by SQLite. The
bug cannot be reached using SQL nor can it be reached by
providing SQLite with a corrupt database file. The bug only
comes up when very long string inputs (greater than 2 billion
bytes in length) are provided as arguments to a few specific
C-language interfaces, and even then only under special
circumstances.

Other changes: https://www.sqlite.org/releaselog/3_39_2.html

Compile-tested on amd64.

Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/sqlite3/Makefile,v
retrieving revision 1.119
diff -p -u -r1.119 Makefile
--- Makefile 7 Jul 2022 21:59:51 -0000 1.119
+++ Makefile 2 Aug 2022 15:46:46 -0000
@@ -1,11 +1,10 @@
COMMENT= embedded SQL implementation

-DISTNAME = sqlite-autoconf-3390000
-PKGNAME= sqlite3-3.39.0
-REVISION= 0
+DISTNAME = sqlite-autoconf-3390200
+PKGNAME= sqlite3-3.39.2

# XXX needs bumps every time :-
-SHARED_LIBS += sqlite3 37.18 # 8.6
+SHARED_LIBS += sqlite3 37.19 # 8.6
# sqlite suggests that users might like to assert() that library and header
# versions match, so bumps are needed even if function signatures don't change.
# ... at the current time the only one noticed is a < check (in subversion)
Index: distinfo
===================================================================
RCS file: /cvs/ports/databases/sqlite3/distinfo,v
retrieving revision 1.66
diff -p -u -r1.66 distinfo
--- distinfo 27 Jun 2022 09:26:17 -0000 1.66
+++ distinfo 2 Aug 2022 15:46:46 -0000
@@ -1,2 +1,2 @@
-SHA256 (sqlite-autoconf-3390000.tar.gz) = 6QvK723VgT/N7k6Gf2tl88m/0K7A8QF/nzu84eTtCeI=
-SIZE (sqlite-autoconf-3390000.tar.gz) = 3064015
+SHA256 (sqlite-autoconf-3390200.tar.gz) = hSvophg6F7pHzuC7/3QAt6pa/9KDvzvu/DT80IiiOd4=
+SIZE (sqlite-autoconf-3390200.tar.gz) = 3064438
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/databases/sqlite3/pkg/PLIST,v
retrieving revision 1.10
diff -p -u -r1.10 PLIST
--- pkg/PLIST 3 Apr 2022 06:23:01 -0000 1.10
+++ pkg/PLIST 2 Aug 2022 15:46:46 -0000
@@ -99,6 +99,7 @@ lib/pkgconfig/sqlite3.pc
@man man/man3/sqlite3_db_filename.3
@man man/man3/sqlite3_db_handle.3
@man man/man3/sqlite3_db_mutex.3
+@man man/man3/sqlite3_db_name.3
@man man/man3/sqlite3_db_readonly.3
@man man/man3/sqlite3_db_release_memory.3
@man man/man3/sqlite3_db_status.3

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)