Bugzilla – Bug 936836
VUL-0: CVE-2015-3717: sqlite3,sqlite2: SQLite printf Format String Remote Code Execution Vulnerability
Last modified: 2015-10-23 11:36:48 UTC
via ZDI: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the printf function. The issue lies in the ability to use an arbitrary format string as an argument to an insecure printf function. An attacker can leverage this vulnerability to achieve code execution under the context of the current process. I found zero reference on this on the sqlite upstream project? And why does it link to Apple for an update? References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3717 http://www.zerodayinitiative.com/advisories/ZDI-15-290/
https://support.apple.com/de-de/HT204942 > SQLite > > Available for: OS X Yosemite v10.10 to v10.10.3 > > Impact: A remote attacker may cause an unexpected application termination > or arbitrary code execution > > Description: Multiple buffer overflows existed in SQLite's printf > implementation. These issues were addressed through improved bounds checking. > > CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative Could you check if this would affect our platform?
bugbot adjusting priority
Is this anything that affects SQLite as used on SLE/openSUSE?
I am not aware of any use of SQLite in our producs that would be vulnerable to this, but I don't have a list of all packages that use SQLite and how they use it.
Closing as not affecting our platform.