Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1633-1 sqlite3

Debian Security Advisory

DLA-1633-1 sqlite3 -- LTS security update

Date Reported:

11 Jan 2019

Affected Packages:

sqlite3

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 867618, Bug 893195.
In Mitre's CVE dictionary: CVE-2017-2518, CVE-2017-2519, CVE-2017-2520, CVE-2017-10989, CVE-2018-8740.

More information:

Several flaws were corrected in SQLite, an SQL database engine.

• CVE-2017-2518

  A use-after-free bug in the query optimizer may cause a buffer overflow and application crash via a crafted SQL statement.

• CVE-2017-2519

  Insufficient size of the reference count on Table objects could lead to a denial-of-service or arbitrary code execution.

• CVE-2017-2520

  The sqlite3_value_text() interface returned a buffer that was not large enough to hold the complete string plus zero terminator when the input was a zeroblob. This could lead to arbitrary code execution or a denial-of-service.

• CVE-2017-10989

  SQLite mishandles undersized RTree blobs in a crafted database leading to a heap-based buffer over-read or possibly unspecified other impact.

• CVE-2018-8740

  Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference.

For Debian 8 Jessie, these problems have been fixed in version 3.8.7.1-1+deb8u4.

We recommend that you upgrade your sqlite3 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS