FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

SQLite3 -- Tempdir Selection Vulnerability

Affected packages
sqlite3 < 3.13.0

Details

VuXML ID 546deeea-3fc6-11e6-a671-60a44ce6887b
Discovery 2016-07-01
Entry 2016-07-03

KoreLogic security reports:

Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check.

References

CVE Name CVE-2016-6153
FreeBSD PR ports/209827
URL http://openwall.com/lists/oss-security/2016/07/01/2
URL http://www.sqlite.org/cgi/src/info/614bb709d34e1148
URL http://www.sqlite.org/cgi/src/info/67985761aa93fb61
URL http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
URL https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt