Security Advisories (19)

CVE-2020-13434 (2020-05-24)

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

CVE-2020-11656 (2020-04-09)

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVE-2020-9327 (2020-02-21)

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

CVE-2018-20506 (2019-04-03)

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.

CVE-2015-3416 (2015-04-24)

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.

CVE-2015-3414 (2015-04-24)

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.

CVE-2020-13630 (2020-05-27)

ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

CVE-2020-15358 (2020-06-27)

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

CVE-2020-13632 (2020-05-27)

ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

CVE-2020-13631 (2020-05-27)

SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.

CVE-2020-13435 (2020-05-24)

SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

CVE-2020-11655 (2020-04-09)

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

CVE-2019-19646 (2019-12-09)

pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.

CVE-2019-19645 (2019-12-09)

alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.

CVE-2018-20346 (2018-12-21)

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

CVE-2018-8740 (2018-03-17)

In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.

CVE-2017-10989 (2017-07-07)

The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

CVE-2015-3415 (2015-04-24)

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

CVE-2016-6153 (2016-09-26)

os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.

NAME

DBD::SQLite - Self Contained RDBMS in a DBI Driver

SYNOPSIS

use DBI;
my $dbh = DBI->connect("dbi:SQLite:dbname=dbfile","","");

DESCRIPTION

SQLite is a public domain RDBMS database engine that you can find at http://www.hwaci.com/sw/sqlite/.

Rather than ask you to install SQLite first, because SQLite is public domain, DBD::SQLite includes the entire thing in the distribution. So in order to get a fast transaction capable RDBMS working for your perl project you simply have to install this module, and nothing else.

SQLite supports the following features:

Implements a large subset of SQL92: See http://www.hwaci.com/sw/sqlite/lang.html for details.
A complete DB in a single disk file: Everything for your database is stored in a single disk file, making it easier to move things around than with DBD::CSV.
Atomic commit and rollback: Yes, DBD::SQLite is small and light, but it supports full transactions!
Extensible: User-defined aggregate or regular functions can be registered with the SQL parser.

There's lots more to it, so please refer to the docs on the SQLite web page, listed above, for SQL details. Also refer to DBI for details on how to use DBI itself.

CONFORMANCE WITH DBI SPECIFICATION

The API works like every DBI module does. Please see DBI for more details about core features.

Currently many statement attributes are not implemented or are limited by the typeless nature of the SQLite database.

DRIVER PRIVATE ATTRIBUTES

Database Handle Attributes

sqlite_version: Returns the version of the SQLite library which DBD::SQLite is using, e.g., "2.8.0".

DRIVER PRIVATE METHODS

$dbh->func('last_insert_rowid')

This method returns the last inserted rowid. If you specify an INTEGER PRIMARY KEY as the first column in your table, that is the column that is returned. Otherwise, it is the hidden ROWID column. See the sqlite docs for details.

Note: You can now use $dbh->last_insert_id() if you have a recent version of DBI.

$dbh->func( 'busy_timeout' )

Retrieve the current busy timeout.

$dbh->finc( $ms, 'busy_timeout' )

Set the current busy timeout. The timeout is in milliseconds.

$dbh->func( $name, $argc, $func_ref, "create_function" )

This method will register a new function which will be useable in SQL query. The method's parameters are:

$name: The name of the function. This is the name of the function as it will be used from SQL.
$argc: The number of arguments taken by the function. If this number is -1, the function can take any number of arguments.
$func_ref: This should be a reference to the function's implementation.

For example, here is how to define a now() function which returns the current number of seconds since the epoch:

$dbh->func( 'now', 0, sub { return time }, 'create_function' );

After this, it could be use from SQL as:

INSERT INTO mytable ( now() );

$dbh->func( $name, $argc, $pkg, 'create_aggregate' )

This method will register a new aggregate function which can then used from SQL. The method's parameters are:

$name: The name of the aggregate function, this is the name under which the function will be available from SQL.
$argc: This is an integer which tells the SQL parser how many arguments the function takes. If that number is -1, the function can take any number of arguments.
$pkg: This is the package which implements the aggregator interface.

The aggregator interface consists of defining three methods:

new(): This method will be called once to create an object which should be used to aggregate the rows in a particular group. The step() and finalize() methods will be called upon the reference return by the method.
step(@_): This method will be called once for each rows in the aggregate.
finalize(): This method will be called once all rows in the aggregate were processed and it should return the aggregate function's result. When there is no rows in the aggregate, finalize() will be called right after new().

Here is a simple aggregate function which returns the variance (example adapted from pysqlite):

package variance;

sub new { bless [], shift; }

sub step {
    my ( $self, $value ) = @_;

    push @$self, $value;
}

sub finalize {
    my $self = $_[0];

    my $n = @$self;

    # Variance is NULL unless there is more than one row
    return undef unless $n || $n == 1;

    my $mu = 0;
    foreach my $v ( @$self ) {
        $mu += $v;
    }
    $mu /= $n;

    my $sigma = 0;
    foreach my $v ( @$self ) {
        $sigma += ($x - $mu)**2;
    }
    $sigma = $sigma / ($n - 1);

    return $sigma;
}

$dbh->func( "variance", 1, 'variance', "create_aggregate" );

The aggregate function can then be used as:

SELECT group_name, variance(score) FROM results
GROUP BY group_name;

NOTES

To access the database from the command line, try using dbish which comes with the DBI module. Just type:

dbish dbi:SQLite:foo.db

On the command line to access the file foo.db.

Alternatively you can install SQLite from the link above without conflicting with DBD::SQLite and use the supplied sqlite command line tool.

PERFORMANCE

SQLite is fast, very fast. I recently processed my 72MB log file with it, inserting the data (400,000+ rows) by using transactions and only committing every 1000 rows (otherwise the insertion is quite slow), and then performing queries on the data.

Queries like count(*) and avg(bytes) took fractions of a second to return, but what surprised me most of all was:

SELECT url, count(*) as count FROM access_log
  GROUP BY url
  ORDER BY count desc
  LIMIT 20

To discover the top 20 hit URLs on the site (http://axkit.org), and it returned within 2 seconds. I'm seriously considering switching my log analysis code to use this little speed demon!

Oh yeah, and that was with no indexes on the table, on a 400MHz PIII.

For best performance be sure to tune your hdparm settings if you are using linux. Also you might want to set:

PRAGMA default_synchronous = OFF

Which will prevent sqlite from doing fsync's when writing (which slows down non-transactional writes significantly) at the expense of some peace of mind. Also try playing with the cache_size pragma.

BUGS

Likely to be many, please use http://rt.cpan.org/ for reporting bugs.

AUTHOR

Matt Sergeant, matt@sergeant.org

Perl extension functions contributed by Francis J. Lacoste <flacoste@logreport.org> and Wolfgang Sourdeau <wolfgang@logreport.org>

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)