Bug 234112

Summary: SQLite: Remote code execution vulnerability (Magellan)
Product: Services Reporter: Kubilay Kocak <koobs>
Component: Security TeamAssignee: Security Team <secteam>
Status: Closed FIXED    
Severity: Affects Many People CC: cy, emaste, joneum, ports-secteam
Priority: --- Keywords: security, tracking
Version: unspecified   
Hardware: Any   
OS: Any   
URL: https://blade.tencent.com/magellan/index_en.html
Bug Depends on: 233712, 233990, 234113, 234191    
Bug Blocks:    

Description Kubilay Kocak freebsd_committer freebsd_triage 2018-12-18 03:20:30 UTC 
Tracking issue to coordinate and link related issues and changes in FreeBSD related to the announced vulnerability:

Quote:

Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.

Additional References:

- https://access.redhat.com/errata/RHSA-2018:3803
- https://www.debian.org/security/2018/dsa-4352
- https://lwn.net/Articles/774463/
Comment 1 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:36:52 UTC 
what is the current status?
Does ports-secteam have to be active here?
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-03-30 03:06:17 UTC 
This was a tracking issue to make it easier for our secteams to coordinate complete resolution, in case it wasn't done in a timely manner by people responsible for updating the various involved components.. All subtasks has been resolved, closing FIXED