-
sqlite3 (3.22.0-1ubuntu0.7) bionic-security; urgency=medium
* SECURITY UPDATE: array-bounds overflow via large string argument
- debian/patches/CVE-2022-35737.patch: increase the size of loop
variables in src/printf.c.
- CVE-2022-35737
-- Marc Deslauriers <email address hidden> Fri, 04 Nov 2022 09:14:10 -0400
-
sqlite3 (3.22.0-1ubuntu0.6) bionic-security; urgency=medium
* SECURITY UPDATE: null pointer dereference in INTERSEC query processing
- debian/patches/CVE-2020-35525.patch: early-out on the INTERSECT query
processing following an error in src/select.c.
- CVE-2020-35525
-- Marc Deslauriers <email address hidden> Wed, 14 Sep 2022 13:02:25 -0400
-
sqlite3 (3.22.0-1ubuntu0.5) bionic-security; urgency=medium
* SECURITY UPDATE: segmentation fault in idxGetTableInfo
- debian/patches/CVE-2021-36690.patch: perform validation
over the column to ensure it has collating sequence in
ext/expert/sqlite3expert.c
- CVE-2021-36690
-- David Fernandez Gonzalez <email address hidden> Thu, 28 Apr 2022 16:04:18 +0200
-
sqlite3 (3.22.0-1ubuntu0.4) bionic-security; urgency=medium
* SECURITY UPDATE: null pointer dereference
- debian/patches/CVE-2018-8740.patch: better error message text when
the schema is corrupted in src/build.c, src/prepare.c.
- CVE-2018-8740
* SECURITY UPDATE: integer overflow in sqlite3_str_vappendf
- debian/patches/CVE-2020-13434-pre1.patch: fix test/printf.test.
- debian/patches/CVE-2020-13434.patch: limit the "precision" of
floating-point to text conversions in src/printf.c, test/printf.test.
- CVE-2020-13434
* SECURITY UPDATE: use-after-free in fts3EvalNextRow
- debian/patches/CVE-2020-13630.patch: add fix to ext/fts3/fts3.c,
test/fts3snippet.test.
- CVE-2020-13630
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2020-13632.patch: fix issue in
ext/fts3/fts3_snippet.c, test/fts3matchinfo2.test.
- CVE-2020-13632
-- Marc Deslauriers <email address hidden> Mon, 08 Jun 2020 11:07:38 -0400
-
sqlite3 (3.22.0-1ubuntu0.3) bionic-security; urgency=medium
* SECURITY UPDATE: more shadow table corruption
- debian/patches/CVE-2019-13734_50.patch: more improvements to shadow
table corruption detection in ext/fts3/fts3.c, ext/fts3/fts3Int.h,
ext/fts3/fts3_write.c.
- CVE-2019-13734
- CVE-2019-13750
* SECURITY UPDATE: corrupt records in fts3
- debian/patches/CVE-2019-13751-pre1.patch: detect and prevent infinite
recursion in fts3SelectLeaf() due to a malformed FTS3 btree in
ext/fts3/fts3.c, test/fts4aa.test.
- debian/patches/CVE-2019-13751.patch: improve detection of corrupt
records in ext/fts3/fts3.c, ext/fts3/fts3_write.c.
- CVE-2019-13751
* SECURITY UPDATE: shadow table corruption
- debian/patches/CVE-2019-13752.patch: improved detection of corrupt
shadow tables in ext/fts3/fts3.c, ext/fts3/fts3Int.h,
ext/fts3/fts3_write.c.
- CVE-2019-13752
* SECURITY UPDATE: out of bounds read
- debian/patches/CVE-2019-13753.patch: remove a reachable NEVER() in
ext/fts3/fts3_write.c.
- CVE-2019-13753
* SECURITY UPDATE: SELECT DISTINCT involving a LEFT JOIN issue
- debian/patches/CVE-2019-19923.patch: continue to back away from the
LEFT JOIN optimization of check-in by disallowing query flattening if
the outer query is DISTINCT in src/select.c, test/join.test.
- CVE-2019-19923
* SECURITY UPDATE: certain parser-tree rewriting mishandling
- debian/patches/CVE-2019-19924.patch: properly handle errors in
src/expr.c, src/vdbeaux.c, src/window.c.
- CVE-2019-19924
* SECURITY UPDATE: NULL pathname mishandling in zipfileUpdate
- debian/patches/CVE-2019-19925.patch: properly handle pathname in
ext/misc/zipfile.c.
- CVE-2019-19925
* SECURITY UPDATE: multiSelect error handling issue
- debian/patches/CVE-2019-19926.patch: abort early due to prior errors
in src/select.c.
- CVE-2019-19926
* SECURITY UPDATE: embedded NULL filename mishandling
- debian/patches/CVE-2019-19959.patch: handle filenames that contain
embedded zeros in ext/misc/zipfile.c.
- CVE-2019-19959
* SECURITY UPDATE: selectExpander stack unwinding issue
- debian/patches/CVE-2019-20218-pre1.patch: make sure the WITH stack in
the Parse object is disabled following an error in src/select.c,
src/util.c, test/with3.test.
- debian/patches/CVE-2019-20218.patch: do not attempt to unwind the
WITH stack in the Parse object following an error in src/select.c,
test/altertab3.test.
- CVE-2019-20218
* SECURITY UPDATE: NULL pointer deref via generated column optimizations
- debian/patches/CVE-2020-9327.patch: take care when checking the
table of a TK_COLUMN expression node src/sqliteInt.h,
src/whereexpr.c.
-- Marc Deslauriers <email address hidden> Tue, 03 Mar 2020 09:20:41 -0500
-
sqlite3 (3.22.0-1ubuntu0.2) bionic-security; urgency=medium
* SECURITY UPDATE: Severe division by zero
- debian/patches/CVE-2019-16168.patch: fix in
src/analyze.c, src/where.c, test/analyzeC.test.
- CVE-2019-16168
* SECURITY UPDATE: Heap corruption exploit
- debian/patches/CVE-2019-5827-*.patch: fix in
ext/fts3*, ext/rtree/geopoly.c, src/build.c,
src/expr.c, src/main.c, src/test_fs.c, src/util.c,
src/vdbeaux.c, src/vdbesort.c, src/vtab.c.
- CVE-2019-5827
-- <email address hidden> (Leonidas S. Barbosa) Thu, 28 Nov 2019 11:46:36 -0300
-
sqlite3 (3.22.0-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2018-20346-and-CVE-2018-20506.patch:
add extra defenses against strategically corrupt databases
in ext/fts3/fst3.c, ext/fts3/fts3_write.c, test/fts3corrupt4.test,
test/permutations.test.
- CVE-2018-20346
- CVE-2018-20506
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20505.patch: remove assert
which fail due to a malformed PK and add check in
src/wherecode.c, test/rowvalue.test.
- CVE-2018-20505
* SECURITY UPDATE: heap out-of-bound read
- debian/patches/CVE-2019-8457.patch: enhance the
rtreenode() in ext/rtree/rtree.c.
- debian/patches/CVE-2019-8457-string-interface.patch:
add string interface in src/btree.c, src/build.c,
src/func.c, src/mutex.c, src/pragma.c, src/printf.c,
src/sqlite.h.in, src/sqliteInt.h, src/treeview.c,
src/vdbeaux.c, src/vdbetrace.c, src/wherecode.c.
- CVE-2019-8457
* security update: heap-buffer over-read
- debian/patches/cve-2019-9936.patch: add checks
in code in order to fix in ext/fts5/fts5_hash.c,
ext/fts5/test/fts5aa.test.
- CVE-2019-9936
* security update: NULL pointer dereference
- debian/patches/cve-2019-9937.patch: fix in
ext/fts5/fts5Int.h, ext/fts5/fts5_hash.c, ext/fts5/fts5_index.c,
ext/fts5/test/fts5aa.test.
- CVE-2019-9937
-- <email address hidden> (Leonidas S. Barbosa) Fri, 14 Jun 2019 15:02:21 -0300
-
sqlite3 (3.22.0-1) unstable; urgency=medium
* New upstream release (closes: #867387).
* Update libsqlite3-0 symbols.
* Replace autotools updateconfig with the debhelper one.
* Update Standards-Version to 4.1.3:
- remove libsqlite3-0-dbg package and use the auto-generated one
(closes: #883556).
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 22 Jan 2018 21:41:23 +0000
-
sqlite3 (3.21.0-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 04 Nov 2017 19:55:46 +0000
-
sqlite3 (3.20.1-2) unstable; urgency=high
* Backport fix for CVE-2017-15286, NULL pointer dereference in
tableColumnList() (closes: #878680).
* Update Standards-Version to 4.1.1:
- change libsqlite3-0-dbg priority to optional.
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 16 Oct 2017 17:23:10 +0000
-
sqlite3 (3.19.3-3) unstable; urgency=high
* Backport fix for CVE-2017-10989, heap-based buffer over-read via
undersized RTree blobs (closes: #867618).
-- Laszlo Boszormenyi (GCS) <email address hidden> Fri, 07 Jul 2017 20:59:53 +0000
