Bug 210751

Summary: security/vuxml: Security vulnerability in SQLite3 (CVE-2016-6153)
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Closed FIXED    
Severity: Affects Only Me CC: junovitch
Priority: --- Keywords: easy, patch, security
Version: LatestFlags: junovitch: maintainer-feedback+
Hardware: Any   
OS: Any   
URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209827
Attachments:
Description Flags
Add SQLite3 vuln entry (CVE-2016-6153) none

Description VK 2016-07-01 20:26:03 UTC 
Created attachment 172028 [details]
Add SQLite3 vuln entry (CVE-2016-6153)

SQLite3 prior to 3.13.0 (eg. the one in 2016Q2) has a tempdir selection vulnerability. Attached is the VuXML entry patch.

* Reported:
  https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt

* CVE assignment:
  http://openwall.com/lists/oss-security/2016/07/01/2
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-07-03 18:45:08 UTC 
A commit references this bug:

Author: junovitch
Date: Sun Jul  3 18:44:40 UTC 2016
New revision: 417989
URL: https://svnweb.freebsd.org/changeset/ports/417989

Log:
  Document SQLite3 tempdir selection vulnerability

  PR:		210751
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-6153
  Security:	https://vuxml.FreeBSD.org/freebsd/546deeea-3fc6-11e6-a671-60a44ce6887b.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-07-03 18:48:10 UTC 
Committed. Thank you!

The 3.13.0 update was committed a month ago (see bug 209827) before the public release of the CVE on 1 July 2016. 2016Q3 already contains this and no further actions are needed here.