Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202103-04 ] SQLite: Remote code execution
Date: Wed, 31 Mar 2021 12:31:11
Message-Id: 3e556096-d35c-e974-a817-11a50cbfaafa@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202103-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: SQLite: Remote code execution
9 Date: March 31, 2021
10 Bugs: #777990
11 ID: 202103-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in SQLite could lead to remote code execution.
19
20 Background
21 ==========
22
23 SQLite is a C library that implements an SQL database engine.
24
25 Affected packages
26 =================
27
28 -------------------------------------------------------------------
29 Package / Vulnerable / Unaffected
30 -------------------------------------------------------------------
31 1 dev-db/sqlite < 3.34.1 >= 3.34.1
32
33 Description
34 ===========
35
36 It was discovered that SQLite incorrectly handled certain sub-queries.
37
38 Impact
39 ======
40
41 A remote attacker could possibly execute arbitrary code with the
42 privileges of the process, or cause a Denial of Service condition.
43
44 Workaround
45 ==========
46
47 There is no known workaround at this time.
48
49 Resolution
50 ==========
51
52 All SQLite users should upgrade to the latest version:
53
54 # emerge --sync
55 # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.34.1"
56
57 References
58 ==========
59
60 [ 1 ] CVE-2021-20227
61 https://nvd.nist.gov/vuln/detail/CVE-2021-20227
62
63 Availability
64 ============
65
66 This GLSA and any updates to it are available for viewing at
67 the Gentoo Security Website:
68
69 https://security.gentoo.org/glsa/202103-04
70
71 Concerns?
72 =========
73
74 Security is a primary focus of Gentoo Linux and ensuring the
75 confidentiality and security of our users' machines is of utmost
76 importance to us. Any security concerns should be addressed to
77 security@g.o or alternatively, you may file a bug at
78 https://bugs.gentoo.org.
79
80 License
81 =======
82
83 Copyright 2021 Gentoo Foundation, Inc; referenced text
84 belongs to its owner(s).
85
86 The contents of this document are licensed under the
87 Creative Commons - Attribution / Share Alike license.
88
89 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
OpenPGP_signature.asc application/pgp-signature