[ubuntu/eoan-security] sqlite3 3.29.0-2ubuntu0.3 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Jun 10 13:22:16 UTC 2020
sqlite3 (3.29.0-2ubuntu0.3) eoan-security; urgency=medium
* SECURITY UPDATE: crash via SELECT statements with a nonexistent VIEW
- debian/patches/CVE-2019-19603-pre1.patch: break out the test for
writable shadow tables into a separate subroutine in src/alter.c,
src/build.c, src/delete.c, src/sqliteInt.h.
- debian/patches/CVE-2019-19603.patch: do not allow CREATE TABLE or
CREATE VIEW of an object with a name that looks like a shadow table
name in src/build.c, src/sqliteInt.h, test/altertab.test.
- CVE-2019-19603
* SECURITY UPDATE: infinite recursion via certain views
- debian/patches/CVE-2019-19645.patch: avoid infinite recursion in the
ALTER TABLE code when a view contains an unused CTE that references,
directly or indirectly, the view itself in src/alter.c,
src/build.c, src/sqliteInt.h, test/altertab3.test.
- CVE-2019-19645
* SECURITY UPDATE: DoS via malformed window-function query
- debian/patches/CVE-2020-11655-1.patch: remove two incorrect assert()
statements in src/select.c, test/colname.test.
- debian/patches/CVE-2020-11655-2.patch: in the event of error,
early-out in src/select.c, test/window1.test.
- debian/patches/CVE-2020-11655-3.patch: do not suppress errors when
resolving references in src/resolve.c, test/altertab.test.
- CVE-2020-11655
* SECURITY UPDATE: integer overflow in sqlite3_str_vappendf
- debian/patches/CVE-2020-13434.patch: limit the "precision" of
floating-point to text conversions in src/printf.c, test/printf.test.
- CVE-2020-13434
* SECURITY UPDATE: segmentation fault in sqlite3ExprCodeTarget
- debian/patches/CVE-2020-13435-pre1.patch: move some utility Walker
callbacks in src/expr.c, src/select.c, src/sqliteInt.h,
src/walker.c.
- debian/patches/CVE-2020-13435-1.patch: be sure to adjust the Expr.op2
field appropriately in src/resolve.c, src/window.c,
test/window1.test.
- debian/patches/CVE-2020-13435-2.patch: add defensive code in
src/expr.c.
- CVE-2020-13435
* SECURITY UPDATE: use-after-free in fts3EvalNextRow
- debian/patches/CVE-2020-13630.patch: add fix to ext/fts3/fts3.c,
test/fts3snippet.test.
- CVE-2020-13630
* SECURITY UPDATE: virtual table rename issue
- debian/patches/CVE-2020-13631.patch: do not allow a virtual table to
be renamed into the name of one of its shadows in src/alter.c,
src/build.c, src/sqliteInt.h.
- CVE-2020-13631
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2020-13632.patch: fix issue in
ext/fts3/fts3_snippet.c, test/fts3matchinfo2.test.
- CVE-2020-13632
Date: 2020-06-09 11:23:21.085201+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/sqlite3/3.29.0-2ubuntu0.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Eoan-changes
mailing list