Hi Jonas, On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote: > Hi Ola, > > thanks for your response! > > Ola Lundqvist: > > I have now looked into this problem to see if I can out something. > > > > What I have done is to backtrack whether the code is ever executed by > > sqlite and I cannot find that it can be. > > > > rtreenode function is registered using sqlite3_create_function > > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init > > function to be called from anywhere. > > > > Based on this I think we can rather safely say that the function is not > > used in Debian and hence the package is not affected. > > Ok, great. So given that others didn't comment (yet) and we both agree > on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now. > > Let's wait for Security Team's opinion. My recommendation for them would > be to do the same, given that backporting the fix for CVE-2019-8457 to > the sqlite3 version in Stretch will be as complex as it is for Jessie.
Ack we will look into it. > > I think we usually > > mark it as ignored with a description. An alternative is to mark it as > > not-affected but I'm not sure whether that should be done in this case > > since the vulnerability is there, just not triggered. Someone else can > > maybe help out with that decision. > > Marking it as 'non-affected' would be wrong as the package *is* > affected. It's just that we consider it a minor vulnerability that we > ignore for Jessie given that backporting a proper fix would mean very > invasive code changes. > > @Security Team: do you have a suggestion how to mark cases like this one > in data/CVE/list? The best probably would be to have a 'no-dla' flag, right? No there is no additional flag needed for that. Use no-dsa or if you want to make a stronger annotation that LTS team does not want to further look at the CVE <ignored>. See https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory. Regards, Salvatore
