Bug 210751 - security/vuxml: Security vulnerability in SQLite3 (CVE-2016-6153)
Summary: security/vuxml: Security vulnerability in SQLite3 (CVE-2016-6153)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL: https://www.korelogic.com/Resources/A...
Keywords: easy, patch, security
Depends on:
Blocks:
 
Reported: 2016-07-01 20:26 UTC by VK
Modified: 2016-07-03 18:48 UTC (History)
1 user (show)

See Also:
junovitch: maintainer-feedback+

Attachments
Add SQLite3 vuln entry (CVE-2016-6153) (1.80 KB, patch)
2016-07-01 20:26 UTC, VK 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-07-01 20:26:03 UTC 
Created attachment 172028 [details]
Add SQLite3 vuln entry (CVE-2016-6153)

SQLite3 prior to 3.13.0 (eg. the one in 2016Q2) has a tempdir selection vulnerability. Attached is the VuXML entry patch.

* Reported:
  https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt

* CVE assignment:
  http://openwall.com/lists/oss-security/2016/07/01/2
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-07-03 18:45:08 UTC 
A commit references this bug:

Author: junovitch
Date: Sun Jul  3 18:44:40 UTC 2016
New revision: 417989
URL: https://svnweb.freebsd.org/changeset/ports/417989

Log:
  Document SQLite3 tempdir selection vulnerability

  PR:		210751
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-6153
  Security:	https://vuxml.FreeBSD.org/freebsd/546deeea-3fc6-11e6-a671-60a44ce6887b.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-07-03 18:48:10 UTC 
Committed. Thank you!

The 3.13.0 update was committed a month ago (see bug 209827) before the public release of the CVE on 1 July 2016. 2016Q3 already contains this and no further actions are needed here.