Security Advisories (13)
CVE-2020-13434
(2020-05-24)
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
- https://www.sqlite.org/src/info/23439ea582241138
- https://www.sqlite.org/src/info/d08d3405878d394e
- https://lists.debian.org/debian-lts-announce/2020/05/msg00024.html
- https://security.netapp.com/advisory/ntap-20200528-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
CVE-2020-11656
(2020-04-09)
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
- https://www3.sqlite.org/cgi/src/info/b64674919f673602
- https://www.sqlite.org/src/info/d09f8c3621d5f7f8
- https://security.netapp.com/advisory/ntap-20200416-0001/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-9327
(2020-02-21)
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
- https://www.sqlite.org/cgi/src/info/4374860b29383380
- https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
- https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
- https://security.netapp.com/advisory/ntap-20200313-0002/
- https://security.gentoo.org/glsa/202003-16
- https://usn.ubuntu.com/4298-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-5018
(2019-05-10)
An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777
- http://www.securityfocus.com/bid/108294
- http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20190521-0001/
- https://security.gentoo.org/glsa/201908-09
- https://usn.ubuntu.com/4205-1/
CVE-2020-13630
(2020-05-27)
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/0d69f76f0865f962
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-8457
(2019-05-30)
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
- https://www.sqlite.org/src/info/90acdbfce9c08858
- https://www.sqlite.org/releaselog/3_28_0.html
- https://usn.ubuntu.com/4004-1/
- https://usn.ubuntu.com/4004-2/
- https://security.netapp.com/advisory/ntap-20190606-0002/
- https://usn.ubuntu.com/4019-1/
- https://usn.ubuntu.com/4019-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
CVE-2020-15358
(2020-06-27)
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
- https://www.sqlite.org/src/info/10fa79d00f8091e5
- https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
- https://www.sqlite.org/src/tktview?name=8f157e8010
- https://security.netapp.com/advisory/ntap-20200709-0001/
- https://security.gentoo.org/glsa/202007-26
- https://usn.ubuntu.com/4438-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211847
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://support.apple.com/kb/HT212147
- http://seclists.org/fulldisclosure/2021/Feb/14
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
CVE-2020-13632
(2020-05-27)
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/a4dd148928ea65bd
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-13631
(2020-05-27)
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/eca0ba2cf4c0fdf7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-13435
(2020-05-24)
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
- https://www.sqlite.org/src/info/7a5279a25c57adf1
- https://security.netapp.com/advisory/ntap-20200528-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpuApr2021.html
CVE-2020-11655
(2020-04-09)
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
- https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
- https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c
- https://security.netapp.com/advisory/ntap-20200416-0001/
- https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-19646
(2019-12-09)
pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
- https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd
- https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3
- https://www.sqlite.org/
- https://security.netapp.com/advisory/ntap-20191223-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-19645
(2019-12-09)
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
- https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06
- https://security.netapp.com/advisory/ntap-20191223-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://usn.ubuntu.com/4394-1/
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Changes for version 1.62 - 2018-12-29
- Switched to a production version
Changes for version 1.61_04 - 2018-12-22
- Added sqlite_db_config method and new constants for it
- Added sqlite_defensive option to disallow dangerous SQLite features
- Exposed some of the hidden extended result codes
Changes for version 1.61_03 - 2018-12-19
- Upgraded SQLite to 3.26.0, which reportedly has a security fix
Changes for version 1.61_02 - 2018-12-01
- Added sqlite_backup_from_dbh/sqlite_backup_to_dbh methods
- Introduced sqlite_prefer_numeric_type database handle attribute that changes the value of TYPE statement handle attribute from an array of string to an array of integer, as an experimental feature. Setting this may break your applications.
- Changed preferred bugtracker
Changes for version 1.61_01 - 2018-12-01
- Added ability to configure SQLITE_MAX_LENGT with environmental variable (Roy Storey)
- Added sqlite_limit database handle method to change run-time limits
- Upgraded SQLite to 3.25.3
- Updated constants
Documentation
The DBD::SQLite Cookbook
Using fulltext searches with DBD::SQLite
Modules
Self-contained RDBMS in a DBI Driver
common SQLite constants
SQLite virtual tables implemented in Perl
virtual table for viewing file contents
virtual table hooked to Perl data
Provides
in lib/DBD/SQLite/GetInfo.pm
in lib/DBD/SQLite/VirtualTable.pm
in lib/DBD/SQLite/VirtualTable/FileContent.pm
in lib/DBD/SQLite/VirtualTable/PerlData.pm
Module Install Instructions
To install DBD::SQLite, copy and paste the appropriate command in to your terminal.
cpanm DBD::SQLiteperl -MCPAN -e shell
install DBD::SQLiteFor more information on module installation, please visit the detailed CPAN module installation guide.