`libsqlite3-sys` via C sqlite CVE-2022-35737

[huitseeker]

libsqlite3-sys release v0.25.1 was the first version to upgrade its bindings to sqlite 3.39.2:
https://github.com/rusqlite/rusqlite/blob/sys0.25.1/libsqlite3-sys/sqlite3/bindgen_bundled_version.rs#L3
which fixed CVE-2022-35737.
More details on the CVE at https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/

sqlx v.0.6.2, when activating the sqlite feature:
https://github.com/launchbadge/sqlx/blob/v0.6.2/Cargo.toml#L111
depends on libsqlite3-sys version 0.24.x:
https://github.com/launchbadge/sqlx/blob/ef17af31c22bc7f986837a2ea6e398e07c68d915/sqlx-core/Cargo.toml#L138-L143
Which itself binds to SQLite 0.38.x:
https://github.com/rusqlite/rusqlite/blob/sys0.24.1/libsqlite3-sys/sqlite3/bindgen_bundled_version.rs

The upgrade is present in the branch 0.7-dev of sqlx, but there is no released version with the fix published yet.

[pinkforest]

Thanks, we should probably flag the vulnerable libsqlite3-sys crate and it will get flagged on where ever it is used

e.g. this will flag via slqx if / when sqlx draws dependency on the old version without flagging sqlx with advisory