CVE-2022-35737 sqlite

Are any rust sqlite packages (r2ds_sqlite, rusqlite, etc) affected by this CVE? Couldn't get any info on this. Thanks!

Ignoring the actual details of the bug ..

rusqlite supports a few different ways to pull in sqlite:

  • Build an included sqlite version, which currently appears to be 3.38.3 and thus would be vulnerable.
  • Build against the system's sqlite, in which case it's up to the system's administrator to make sure a non-vulnerable version is installed.

I don't know if the bindings introduce any mitigations [by accident?].

Here's some information re sqlx:

According to the maintainer rusqlite is not effected and is not using 3.38.3:

1 Like