Which commit fixes CVE-2023-32697?

[pgrt]

Hello,

I am the Debian maintainer of sqlite-jdbc, and I would like to fix CVE-2023-32697 in Debian.

Still, we are very close to the release of Debian 12 and it is not possible to upload Version 3.41.2.2, I can only cherry-pick some commits so that changes to the Debian-packaged software remain small.

I feel that commit edb4b8a is the one that fixes CVE-2023-32697, do you confirm? Is it enough if I cherry-pick this only commit?

Thanks a lot for your help,

Best,

--
Pierre

[pgrt]

Hi again,

Forgive me for writing again quite quickly, but I feel it is really important to be able to fix the CVE in Debian, while packaging a new upstream version of sqlite-jdbc is unfeasible as we release Debian 12 in less than 2 weeks.

If you had the opportunity to point me to the commit(s) which fix(es) CVE-2023-32697, it would be really super useful.

Cheers,
Pierre

[Willena]

See https://security-tracker.debian.org/tracker/CVE-2023-32697

[pgrt]

Hi @Willena,

Thanks for considering my questions. Still, I was concerned about the precise commit as I was willing to backport only this change in an environment in which changing the whole version was too important as a change.
Still, I am confident commit edb4b8a is the one I was looking for, some colleagues also do. Thus I picked it and I am ok with this situation.

Best,
Pierre