sqlite-3.26.0-6.el8

エラータID: AXSA:2020-328:02

Release date: 
Thursday, September 10, 2020 - 12:01
Subject: 
sqlite-3.26.0-6.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.

Security Fix(es):

* sqlite: heap out-of-bound read in function rtreenode() (CVE-2019-8457)

* sqlite: fts3: improve shadow table corruption detection (CVE-2019-13752)

* sqlite: fts3: incorrectly removed corruption check (CVE-2019-13753)

* sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference (CVE-2019-19923)

* sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting (CVE-2019-19924)

* sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive (CVE-2019-19925)

* sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames (CVE-2019-19959)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-13752
Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-13753
Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-19923
flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVE-2019-19924
SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.
CVE-2019-19925
zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVE-2019-19959
ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.
CVE-2019-8457
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

Solution: 

Update packages.

CVEs: 
CVE-2019-13752
Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-13753
Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-19923
flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVE-2019-19924
SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.
CVE-2019-19925
zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVE-2019-19959
ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.
CVE-2019-8457
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
Additional Info: 

N/A

Download: 

SRPMS
  1. sqlite-3.26.0-6.el8.src.rpm
    MD5: 2919f5102e46e45fc9d720f8675e6e13
    SHA-256: 0b9835ea834215a989a6f662d926af2552ed56963e468ef9304a9b3a40d8802e
    Size: 22.47 MB

Asianux Server 8 for x86_64
  1. lemon-3.26.0-6.el8.x86_64.rpm
    MD5: 48038039575998d5a54d978e5660a7da
    SHA-256: 8af1c8249305eb2426fed814943747b22132dab3d7153c701b88cdc4e3135906
    Size: 75.01 kB
  2. sqlite-3.26.0-6.el8.x86_64.rpm
    MD5: da7eafc1b06e20bf4c29b0007901a433
    SHA-256: f1e19035010fe07d9362705dd9cd62e8d1fac5fd2ccac22ec18c9bedddbb3474
    Size: 665.18 kB
  3. sqlite-devel-3.26.0-6.el8.x86_64.rpm
    MD5: 98ab8cb4bd54084d17b3ed270d338e3e
    SHA-256: df263e0d85bb45953631e07281cd18aac483e1ed3a724caa846df75b92f4ac73
    Size: 162.69 kB
  4. sqlite-doc-3.26.0-6.el8.noarch.rpm
    MD5: f5654149c4f8f9595d40a2e6b3228b88
    SHA-256: 1e70e2d818e20638adbd876271bb13f82abfdb4f47613b3e3ffa4b39c7e2fc45
    Size: 6.76 MB
  5. sqlite-libs-3.26.0-6.el8.x86_64.rpm
    MD5: f1c28728e994a444e3ae72e5d8ef6f43
    SHA-256: ca2ddf0184686dfab0b3403940f0a121cec920fe56e0287d4ba2ba7cbf5ee49e
    Size: 578.07 kB
  6. sqlite-3.26.0-6.el8.i686.rpm
    MD5: 97c927fb3a2e82ae3d19d0a0dc707b60
    SHA-256: e51eda8fe3ed63b4bff6a571d8602097c5644a14b3771b2e6e8ec045752401a5
    Size: 712.30 kB
  7. sqlite-devel-3.26.0-6.el8.i686.rpm
    MD5: 3dfba7517a3509456ca143c63eb2c520
    SHA-256: d41c3dfc32df1474d185b5b798c603e851590286e5df13bda4f3a61a7fc917bd
    Size: 162.71 kB
  8. sqlite-libs-3.26.0-6.el8.i686.rpm
    MD5: 3f271dbe33d00c5ba81bc9a7425488e1
    SHA-256: 528784b61f2be38b0e7c6e4486611c64ee0fb8941c8fe3872ab3324bcfd3ca9a
    Size: 618.75 kB