Security Advisories (11)
CVE-2020-13434
(2020-05-24)
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
- https://www.sqlite.org/src/info/23439ea582241138
- https://www.sqlite.org/src/info/d08d3405878d394e
- https://lists.debian.org/debian-lts-announce/2020/05/msg00024.html
- https://security.netapp.com/advisory/ntap-20200528-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
CVE-2020-11656
(2020-04-09)
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
- https://www3.sqlite.org/cgi/src/info/b64674919f673602
- https://www.sqlite.org/src/info/d09f8c3621d5f7f8
- https://security.netapp.com/advisory/ntap-20200416-0001/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-9327
(2020-02-21)
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
- https://www.sqlite.org/cgi/src/info/4374860b29383380
- https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
- https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
- https://security.netapp.com/advisory/ntap-20200313-0002/
- https://security.gentoo.org/glsa/202003-16
- https://usn.ubuntu.com/4298-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-13630
(2020-05-27)
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/0d69f76f0865f962
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-15358
(2020-06-27)
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
- https://www.sqlite.org/src/info/10fa79d00f8091e5
- https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
- https://www.sqlite.org/src/tktview?name=8f157e8010
- https://security.netapp.com/advisory/ntap-20200709-0001/
- https://security.gentoo.org/glsa/202007-26
- https://usn.ubuntu.com/4438-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211847
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://support.apple.com/kb/HT212147
- http://seclists.org/fulldisclosure/2021/Feb/14
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
CVE-2020-13632
(2020-05-27)
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/a4dd148928ea65bd
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-13631
(2020-05-27)
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
- https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
- https://sqlite.org/src/info/eca0ba2cf4c0fdf7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://security.netapp.com/advisory/ntap-20200608-0002/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2020-13435
(2020-05-24)
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
- https://www.sqlite.org/src/info/7a5279a25c57adf1
- https://security.netapp.com/advisory/ntap-20200528-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN/
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211952
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Nov/20
- https://support.apple.com/kb/HT211935
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpuApr2021.html
CVE-2020-11655
(2020-04-09)
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
- https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
- https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c
- https://security.netapp.com/advisory/ntap-20200416-0001/
- https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html
- https://usn.ubuntu.com/4394-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.gentoo.org/glsa/202007-26
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-19646
(2019-12-09)
pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
- https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd
- https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3
- https://www.sqlite.org/
- https://security.netapp.com/advisory/ntap-20191223-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
CVE-2019-19645
(2019-12-09)
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
- https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06
- https://security.netapp.com/advisory/ntap-20191223-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://usn.ubuntu.com/4394-1/
- https://www.tenable.com/security/tns-2021-14
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Changes for version 1.64 - 2019-08-12
- Switched to a production version
Changes for version 1.63_05 - 2019-07-12
- Upgraded SQLite to 3.29.0
- Added sqlite_get_autocommit private method (GH#52)
- Addded new db_config constants, notably to prohibit double-quoted string literals
Changes for version 1.63_04 - 2019-05-25
Changes for version 1.63_03 - 2019-02-15
- Applied a patch to fix segmentation fault on 32-bit big-endian platforms by Niko Tyni (GH#45)
Changes for version 1.63_02 - 2019-02-14
- Upgraded SQLite to 3.27.1
- Let a URI filename test skip if SQLite is compiled with URI filename support (GH#47)
Changes for version 1.63_01 - 2019-01-26
- Made sure an internal hv is initialized (GH#45)
- Fixed a number of tests to skip
- Bumped up Test::More requirement
- Replaced bundled Test::NoWarnings with Test::FailWarnings
- Handle 'unknown' op in DBD::SQLite::VirtualTable::PerlData (Corion++)
Documentation
The DBD::SQLite Cookbook
Using fulltext searches with DBD::SQLite
Modules
Self-contained RDBMS in a DBI Driver
common SQLite constants
SQLite virtual tables implemented in Perl
virtual table for viewing file contents
virtual table hooked to Perl data
Provides
in lib/DBD/SQLite/GetInfo.pm
in lib/DBD/SQLite/VirtualTable.pm
in lib/DBD/SQLite/VirtualTable/FileContent.pm
in lib/DBD/SQLite/VirtualTable/PerlData.pm
Module Install Instructions
To install DBD::SQLite, copy and paste the appropriate command in to your terminal.
cpanm DBD::SQLiteperl -MCPAN -e shell
install DBD::SQLiteFor more information on module installation, please visit the detailed CPAN module installation guide.