Security update for sqlite3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1058-1 Final 1 1 2021-07-19T21:03:43Z current 2021-07-19T21:03:43Z 2021-07-19T21:03:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sqlite3 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1058 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ E-Mail link for openSUSE-SU-2021:1058-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1157818 SUSE Bug 1157818 https://bugzilla.suse.com/1158812 SUSE Bug 1158812 https://bugzilla.suse.com/1158958 SUSE Bug 1158958 https://bugzilla.suse.com/1158959 SUSE Bug 1158959 https://bugzilla.suse.com/1158960 SUSE Bug 1158960 https://bugzilla.suse.com/1159491 SUSE Bug 1159491 https://bugzilla.suse.com/1159715 SUSE Bug 1159715 https://bugzilla.suse.com/1159847 SUSE Bug 1159847 https://bugzilla.suse.com/1159850 SUSE Bug 1159850 https://bugzilla.suse.com/1160309 SUSE Bug 1160309 https://bugzilla.suse.com/1160438 SUSE Bug 1160438 https://bugzilla.suse.com/1160439 SUSE Bug 1160439 https://bugzilla.suse.com/1164719 SUSE Bug 1164719 https://bugzilla.suse.com/1172091 SUSE Bug 1172091 https://bugzilla.suse.com/1172115 SUSE Bug 1172115 https://bugzilla.suse.com/1172234 SUSE Bug 1172234 https://bugzilla.suse.com/1172236 SUSE Bug 1172236 https://bugzilla.suse.com/1172240 SUSE Bug 1172240 https://bugzilla.suse.com/1173641 SUSE Bug 1173641 https://bugzilla.suse.com/928700 SUSE Bug 928700 https://bugzilla.suse.com/928701 SUSE Bug 928701 https://www.suse.com/security/cve/CVE-2015-3414/ SUSE CVE CVE-2015-3414 page https://www.suse.com/security/cve/CVE-2015-3415/ SUSE CVE CVE-2015-3415 page https://www.suse.com/security/cve/CVE-2019-19244/ SUSE CVE CVE-2019-19244 page https://www.suse.com/security/cve/CVE-2019-19317/ SUSE CVE CVE-2019-19317 page https://www.suse.com/security/cve/CVE-2019-19603/ SUSE CVE CVE-2019-19603 page https://www.suse.com/security/cve/CVE-2019-19645/ SUSE CVE CVE-2019-19645 page https://www.suse.com/security/cve/CVE-2019-19646/ SUSE CVE CVE-2019-19646 page https://www.suse.com/security/cve/CVE-2019-19880/ SUSE CVE CVE-2019-19880 page https://www.suse.com/security/cve/CVE-2019-19923/ SUSE CVE CVE-2019-19923 page https://www.suse.com/security/cve/CVE-2019-19924/ SUSE CVE CVE-2019-19924 page https://www.suse.com/security/cve/CVE-2019-19925/ SUSE CVE CVE-2019-19925 page https://www.suse.com/security/cve/CVE-2019-19926/ SUSE CVE CVE-2019-19926 page https://www.suse.com/security/cve/CVE-2019-19959/ SUSE CVE CVE-2019-19959 page https://www.suse.com/security/cve/CVE-2019-20218/ SUSE CVE CVE-2019-20218 page https://www.suse.com/security/cve/CVE-2020-13434/ SUSE CVE CVE-2020-13434 page https://www.suse.com/security/cve/CVE-2020-13435/ SUSE CVE CVE-2020-13435 page https://www.suse.com/security/cve/CVE-2020-13630/ SUSE CVE CVE-2020-13630 page https://www.suse.com/security/cve/CVE-2020-13631/ SUSE CVE CVE-2020-13631 page https://www.suse.com/security/cve/CVE-2020-13632/ SUSE CVE CVE-2020-13632 page https://www.suse.com/security/cve/CVE-2020-15358/ SUSE CVE CVE-2020-15358 page https://www.suse.com/security/cve/CVE-2020-9327/ SUSE CVE CVE-2020-9327 page openSUSE Leap 15.2 libsqlite3-0-3.36.0-lp152.4.3.1 libsqlite3-0-32bit-3.36.0-lp152.4.3.1 sqlite3-3.36.0-lp152.4.3.1 sqlite3-devel-3.36.0-lp152.4.3.1 sqlite3-doc-3.36.0-lp152.4.3.1 libsqlite3-0-3.36.0-lp152.4.3.1 as a component of openSUSE Leap 15.2 libsqlite3-0-32bit-3.36.0-lp152.4.3.1 as a component of openSUSE Leap 15.2 sqlite3-3.36.0-lp152.4.3.1 as a component of openSUSE Leap 15.2 sqlite3-devel-3.36.0-lp152.4.3.1 as a component of openSUSE Leap 15.2 sqlite3-doc-3.36.0-lp152.4.3.1 as a component of openSUSE Leap 15.2 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. CVE-2015-3414 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2015-3414.html CVE-2015-3414 https://bugzilla.suse.com/1085790 SUSE Bug 1085790 https://bugzilla.suse.com/1190372 SUSE Bug 1190372 https://bugzilla.suse.com/1193078 SUSE Bug 1193078 https://bugzilla.suse.com/928700 SUSE Bug 928700 https://bugzilla.suse.com/928701 SUSE Bug 928701 https://bugzilla.suse.com/928702 SUSE Bug 928702 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement. CVE-2015-3415 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2015-3415.html CVE-2015-3415 https://bugzilla.suse.com/1190372 SUSE Bug 1190372 https://bugzilla.suse.com/928700 SUSE Bug 928700 https://bugzilla.suse.com/928701 SUSE Bug 928701 https://bugzilla.suse.com/928702 SUSE Bug 928702 sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. CVE-2019-19244 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19244.html CVE-2019-19244 https://bugzilla.suse.com/1157817 SUSE Bug 1157817 https://bugzilla.suse.com/1157818 SUSE Bug 1157818 lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact. CVE-2019-19317 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 low 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19317.html CVE-2019-19317 https://bugzilla.suse.com/1158812 SUSE Bug 1158812 https://bugzilla.suse.com/1196773 SUSE Bug 1196773 https://bugzilla.suse.com/1196775 SUSE Bug 1196775 SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. CVE-2019-19603 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19603.html CVE-2019-19603 https://bugzilla.suse.com/1158960 SUSE Bug 1158960 https://bugzilla.suse.com/1193078 SUSE Bug 1193078 alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. CVE-2019-19645 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19645.html CVE-2019-19645 https://bugzilla.suse.com/1158958 SUSE Bug 1158958 pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns. CVE-2019-19646 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19646.html CVE-2019-19646 https://bugzilla.suse.com/1158959 SUSE Bug 1158959 exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled. CVE-2019-19880 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19880.html CVE-2019-19880 https://bugzilla.suse.com/1159491 SUSE Bug 1159491 https://bugzilla.suse.com/1159715 SUSE Bug 1159715 https://bugzilla.suse.com/1162833 SUSE Bug 1162833 flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). CVE-2019-19923 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19923.html CVE-2019-19923 https://bugzilla.suse.com/1160309 SUSE Bug 1160309 https://bugzilla.suse.com/1162833 SUSE Bug 1162833 SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. CVE-2019-19924 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19924.html CVE-2019-19924 https://bugzilla.suse.com/1159850 SUSE Bug 1159850 zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. CVE-2019-19925 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19925.html CVE-2019-19925 https://bugzilla.suse.com/1159847 SUSE Bug 1159847 https://bugzilla.suse.com/1162833 SUSE Bug 1162833 multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880. CVE-2019-19926 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19926.html CVE-2019-19926 https://bugzilla.suse.com/1159491 SUSE Bug 1159491 https://bugzilla.suse.com/1159715 SUSE Bug 1159715 https://bugzilla.suse.com/1162833 SUSE Bug 1162833 ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. CVE-2019-19959 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-19959.html CVE-2019-19959 https://bugzilla.suse.com/1160438 SUSE Bug 1160438 selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. CVE-2019-20218 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2019-20218.html CVE-2019-20218 https://bugzilla.suse.com/1160439 SUSE Bug 1160439 https://bugzilla.suse.com/1189840 SUSE Bug 1189840 https://bugzilla.suse.com/1190372 SUSE Bug 1190372 https://bugzilla.suse.com/1192495 SUSE Bug 1192495 https://bugzilla.suse.com/1193078 SUSE Bug 1193078 SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. CVE-2020-13434 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-13434.html CVE-2020-13434 https://bugzilla.suse.com/1172115 SUSE Bug 1172115 SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. CVE-2020-13435 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-13435.html CVE-2020-13435 https://bugzilla.suse.com/1172091 SUSE Bug 1172091 ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. CVE-2020-13630 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-13630.html CVE-2020-13630 https://bugzilla.suse.com/1172234 SUSE Bug 1172234 SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. CVE-2020-13631 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-13631.html CVE-2020-13631 https://bugzilla.suse.com/1172236 SUSE Bug 1172236 ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. CVE-2020-13632 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-13632.html CVE-2020-13632 https://bugzilla.suse.com/1172240 SUSE Bug 1172240 In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. CVE-2020-15358 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-15358.html CVE-2020-15358 https://bugzilla.suse.com/1173641 SUSE Bug 1173641 In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. CVE-2020-9327 openSUSE Leap 15.2:libsqlite3-0-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:libsqlite3-0-32bit-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-devel-3.36.0-lp152.4.3.1 openSUSE Leap 15.2:sqlite3-doc-3.36.0-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SB6Z44NRR3L5O3VXGRWAB7XUKDS4TMFZ/ https://www.suse.com/security/cve/CVE-2020-9327.html CVE-2020-9327 https://bugzilla.suse.com/1164719 SUSE Bug 1164719