Bugzilla – Bug 1085790
VUL-1: CVE-2018-8740: sqlite3, sqlite2: Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference
Last modified: 2024-07-19 12:30:51 UTC
CVE-2018-8740 In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c. sqlite2/3 everywhere affected. No reproducer References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8740 http://seclists.org/oss-sec/2018/q1/244 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6964 https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349 https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b
I am definitely bugowner for sqlite3, sqlite2 is still in TW but I guess it can be dropped.
We used to keep sqlite2 for gphoto2, so that it can still read and migrate databases that were created with older versions. Marcus, is this backwards compatibility still needed?
sqlite2 is depended on by: libdbi-drivers-dbd-sqlite gambas3-gb-db-sqlite2
digikam uses sqlite, not gphoto2 ... ;) but i can try to find out
i think its not related anymore,.
SUSE-SU-2019:1208-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085790,1132045 CVE References: CVE-2017-10989,CVE-2018-8740 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): sqlite3-3.8.10.2-9.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): sqlite3-3.8.10.2-9.6.1 SUSE Linux Enterprise Server 12-SP4 (src): sqlite3-3.8.10.2-9.6.1 SUSE Linux Enterprise Server 12-SP3 (src): sqlite3-3.8.10.2-9.6.1 SUSE Linux Enterprise Desktop 12-SP4 (src): sqlite3-3.8.10.2-9.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): sqlite3-3.8.10.2-9.6.1 SUSE CaaS Platform ALL (src): sqlite3-3.8.10.2-9.6.1 SUSE CaaS Platform 3.0 (src): sqlite3-3.8.10.2-9.6.1 OpenStack Cloud Magnum Orchestration 7 (src): sqlite3-3.8.10.2-9.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1426-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085790,1132045 CVE References: CVE-2017-10989,CVE-2018-8740 Sources used: openSUSE Leap 42.3 (src): sqlite3-3.8.10.2-11.7.1
SUSE-SU-2019:1522-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1085790,1132045,1136976 CVE References: CVE-2017-10989,CVE-2018-8740,CVE-2019-8457 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): sqlite3-3.8.3.1-2.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14228-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1085790,1155787 CVE References: CVE-2017-2518,CVE-2018-8740 Sources used: SUSE Linux Enterprise Debuginfo 11-SP3 (src): sqlite3-3.6.4-4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.