SQLite User Forum

ask for the method of fixes for CVE-2022-35737
Login
Chronological

ask for the method of fixes for CVE-2022-35737

(1) By tyj (TigerYJ) on 2022-08-15 09:22:39 [source]

Hi,thank you for your attention. I am an enthusiast of SQLite. The current version I use is 3.32.2 and cannot be upgraded.
Recently, I found a CVE-2022-35737 vulnerability on the CVE website. I have read the changes in SQLite 3.39.2 but not found the specific fixes of this vulnerability.
What should I do to circumvent this vulnerability in 3.32.2?
Thank you again for everything you've done.

References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35737
CVEID: CVE-2022-35737
Description:SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

(2) By Stephan Beal (stephan) on 2022-08-15 09:33:00 in reply to 1 [link] [source]

CVE-2022-35737

@shenwei just FYI i rejected your in-moderation post only because it asks the same question as this one, but this one has more relevant details.

(3) By Stephan Beal (stephan) on 2022-08-15 10:26:11 in reply to 1 [link] [source]

... CVE-2022-35737

This CVE is already addressed in section 3 of https://sqlite.org/cves.html.

(4) By sw (shenwei) on 2022-08-15 10:28:53 in reply to 3 [link] [source]

I have not found the commit record of the repair. Can you tell me the record of the repair?

(5) By Stephan Beal (stephan) on 2022-08-15 10:34:07 in reply to 4 [link] [source]

Can you tell me the record of the repair?

The CVEs page says 3.39.2 and does not list a specific checkin. You have access to the same list of checkins as everyone else, though, so if you need to find a specific commit, they're all listed here: https://sqlite.org/src/timeline

Since that version was released before that CVE's disclosure, and may have even been fixed without being aware of the CVE, you won't find that CVE mentioned in a checkin message.

(6) By sw (shenwei) on 2022-08-15 10:36:42 in reply to 5 [link] [source]

Could you please provide a link to fix this cve vulnerability, I really can't find it.

(7) By Stephan Beal (stephan) on 2022-08-15 10:43:20 in reply to 6 [link] [source]

Could you please provide a link to fix this cve vulnerability, I really can't find it.

Richard just now updated the checkin comments of 2 checkins to add a reference to that CVE. The links to the code are at:

https://sqlite.org/src/timeline?c=0ab23d04540687f5&y=a

(8) By sw (shenwei) on 2022-08-15 10:47:14 in reply to 7 [link] [source]

Thanks

(9) By tyj (TigerYJ) on 2022-08-15 11:30:05 in reply to 7 [link] [source]

Thank you for your prompt reply.