SQLite Forum

A stack overflow vulnerability in SQLite nmakehelp.c allows arbitrary code execution via a crated file
## This Is Not An SQLite Vulnerability

Just to be clear to people who may be alarmed by the salmonx's title,
this is <u>not</u> a bug in SQLite.

The name of the file is "nmakehlp.c", not "nmakehelp.c".  And it is not
part of SQLite.  "nmakehlp.c" is a helper program used to assist in building
the TCL Extension on Windows.  It is part of TEA or the 
"TCL Extension Architecture".  In other words, the "nmakehlp.exe" program
is built and used to help with the build process for the SQLite TCL
extension under Windows.  Nobody ever runs this program, except when building
the SQLite TCL interface on a Windows host.  The inputs to nmakehlp.exe
are well-controlled such that even if it does contain a vulnerability
(which is probably does not) it would be completely harmless.

So, in other words, salmonx's original post above appears to be complete
nonsense.  One suspects that he is running a source-code scanning tool
across every source file he can find and reporting his results here.

*Edit: The original title has been edited to make this point clear.*