Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717802 (CVE-2019-19242, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-20218)

Summary: <dev-db/sqlite-3.31.0: Multiple vulnerabilities (CVE-2019-{19244,19242,19317,19603,20218})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: arfrever.fta, floppym
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 711526    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 05:47:41 UTC
CVE-2019-20218 (
  selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack
  unwinding even after a parsing error.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 20:20:25 UTC
CVE-2019-19603 (
  SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW,
  leading to an application crash.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 20:24:56 UTC
CVE-2019-19317 (
  lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask
  in the case of a generated column, which allows attackers to cause a denial
  of service or possibly have unspecified other impact.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 20:26:44 UTC
CVE-2019-19244 (
  sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select
  uses both DISTINCT and window functions, and also has certain ORDER BY

CVE-2019-19242 (
  SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN
  case in sqlite3ExprCodeTarget in expr.c.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-23 14:45:22 UTC
Repository is clean, all done.