system/sqlite: multiple vulnerabilities
Bugzilla ID | 245 |
Alias(es) | CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358, CVE-2020-9327 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-03-16 19:54:09 -0500 |
Modified | 2020-07-01 14:18:58 -0500 |
Status | CONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | system/sqlite |
Description
CVE-2020-9327: https://nvd.nist.gov/vuln/detail/CVE-2020-9327
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger
a NULL pointer dereference and segmentation fault because of generated
column optimizations.
Unreleased fix
https://github.com/sqlite/sqlite/commit/bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
https://github.com/sqlite/sqlite/commit/78d1d225d87af40f5bdca57fa72f00b6ffaffa21
Since we currently build from the amalgamation distribution, this will need to wait on either an overhaul of the entire aport or a new release.