Security update for sqlite3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1222-1 Final 1 1 2019-04-17T13:28:50Z current 2019-04-17T13:28:50Z 2019-04-17T13:28:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sqlite3 This update for sqlite3 fixes the following issues: Security issues fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). - CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576). This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00070.html E-Mail link for openSUSE-SU-2019:1222-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libsqlite3-0-3.8.10.2-11.3.1 libsqlite3-0-32bit-3.8.10.2-11.3.1 sqlite3-3.8.10.2-11.3.1 sqlite3-devel-3.8.10.2-11.3.1 sqlite3-doc-3.8.10.2-11.3.1 libsqlite3-0-3.8.10.2-11.3.1 as a component of openSUSE Leap 42.3 libsqlite3-0-32bit-3.8.10.2-11.3.1 as a component of openSUSE Leap 42.3 sqlite3-3.8.10.2-11.3.1 as a component of openSUSE Leap 42.3 sqlite3-devel-3.8.10.2-11.3.1 as a component of openSUSE Leap 42.3 sqlite3-doc-3.8.10.2-11.3.1 as a component of openSUSE Leap 42.3 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. CVE-2018-20346 openSUSE Leap 42.3:libsqlite3-0-3.8.10.2-11.3.1 openSUSE Leap 42.3:libsqlite3-0-32bit-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-devel-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-doc-3.8.10.2-11.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00070.html https://www.suse.com/security/cve/CVE-2018-20346.html CVE-2018-20346 https://bugzilla.suse.com/1119687 SUSE Bug 1119687 https://bugzilla.suse.com/1120335 SUSE Bug 1120335 https://bugzilla.suse.com/1131576 SUSE Bug 1131576 https://bugzilla.suse.com/1131918 SUSE Bug 1131918 https://bugzilla.suse.com/1131919 SUSE Bug 1131919 https://bugzilla.suse.com/1148893 SUSE Bug 1148893 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346. CVE-2018-20506 openSUSE Leap 42.3:libsqlite3-0-3.8.10.2-11.3.1 openSUSE Leap 42.3:libsqlite3-0-32bit-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-devel-3.8.10.2-11.3.1 openSUSE Leap 42.3:sqlite3-doc-3.8.10.2-11.3.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00070.html https://www.suse.com/security/cve/CVE-2018-20506.html CVE-2018-20506 https://bugzilla.suse.com/1131560 SUSE Bug 1131560 https://bugzilla.suse.com/1131576 SUSE Bug 1131576