Summary

Security Advisory ID : BSA-2020-945

Component : SQLite

Revision : 1.0

Various SQLite issues seen in SQLite versions through 3.31.1.

CVE-2020-11656 - CVSS3.1 - 9.8
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVE-2020-13632 - CVSS3.1 - 5.5
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

CVE-2020-13631 - CVSS3.1 - 5.5
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.

CVE-2020-13435 - CVSS3.1 - 5.5
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

CVE-2019-19646 - CVSS3.1 - 9.8
pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.

CVE-2019-16168 - CVSS3.1 - 6.5
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

CVE-2019-19645 - CVSS3.1 - 5.5
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.

CVE-2020-13434 - CVSS3.1 - 5.5
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

CVE-2020-13630 - CVSS3.1 - 7.0
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

Affected Products

Brocade Fabric OS ae not affected. However, a security update is provided in Brocade Fabric OS 9.0.1 to SQLite.

Products Confirmed Not Vulnerable

No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Revision History