Debian 10232 Published by

Updated SQLite3 packages has been released for Debian GNU/Linux 8 LTS



Package : sqlite3
Version : 3.8.7.1-1+deb8u4
CVE ID : CVE-2017-2518 CVE-2017-2519 CVE-2017-2520
CVE-2017-10989 CVE-2018-8740
Debian Bug : 867618 893195

Several flaws were corrected in SQLite, an SQL database engine.

CVE-2017-2518

A use-after-free bug in the query optimizer may cause a
buffer overflow and application crash via a crafted SQL statement.

CVE-2017-2519

Insufficient size of the reference count on Table objects
could lead to a denial-of-service or arbitrary code execution.

CVE-2017-2520

The sqlite3_value_text() interface returned a buffer that was not
large enough to hold the complete string plus zero terminator when
the input was a zeroblob. This could lead to arbitrary code
execution or a denial-of-service.

CVE-2017-10989

SQLite mishandles undersized RTree blobs in a crafted database
leading to a heap-based buffer over-read or possibly unspecified
other impact.

CVE-2018-8740

Databases whose schema is corrupted using a CREATE TABLE AS
statement could cause a NULL pointer dereference.

For Debian 8 "Jessie", these problems have been fixed in version
3.8.7.1-1+deb8u4.

We recommend that you upgrade your sqlite3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
  SQLite3 Security Update for Debian 8 LTS