There's a report about a severe security vuln in sqlite before 3.26.0: https://blade.tencent.com/magellan/index_en.html This is unfortunately lacking any details and it sounds overhyped, but still it'd probably be good to update asap.
Chromium apparently fixed it by updating their bundled copy to 3.25.3, so I suspect that is sufficient. It's pretty serious in the Chromium use case, since it allows arbitrary websites to exploit it. Other affected* packages (maybe should get sqlite de-bundled anyway): - dev-qt/qtwebengine-5.11.1 - dev-perl/DBD-SQLite-1.560.0 - dev-qt/qt-creator-4.6.2 - sys-libs/db-5.3.28-r2 - dev-db/sqlcipher-3.4.2 * It's possible their /usage/ of SQLite isn't meaningfully vulnerable; I didn't check that.
I'm not sure if it's safe, but Qt Creator at least *seems* to work using the system SQLite if I just delete its copy (/usr/lib64/qtcreator/libSqlite.so.4.6.2)
Write-up that seems convincing here: https://news.ycombinator.com/item?id=18686305 Including what appears to be an endorsement from Richard Hipp pointing to the page: https://www.sqlite.org/security.html If the write-up is to be believed then the specific fix is in 3.25.3 (currently stable for amd64 and x86), 3.26.0 includes a more generic solution that is off by default and will require applications to enable.
Qt WebEngine bug tracker: https://bugreports.qt.io/browse/QTBUG-72632
*** This bug has been marked as a duplicate of bug 672942 ***
dev-db/sqlite-3.26.0 will be added, but security fix is present in dev-db/sqlite-3.25.3. In https://sqlite.org/releaselog/3_25_3.html relevant fix is described as: 3. Strengthen defenses against deliberately corrupted database files. Relevant commit on branch "branch-3.25" (https://sqlite.org/src/timeline?r=branch-3.25) is: Add extra defenses against strategically corrupt databases to fts3/4. https://sqlite.org/src/info/940f2adc8541a838 Fix also has been hodiernally backported in 4 other branches: "branch-3.9", "branch-3.18", "branch-3.19", "branch-3.22". In https://sqlite.org/releaselog/3_26_0.html relevant new features are described as: 3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL. 4. Added support for read-only shadow tables when the SQLITE_DBCONFIG_DEFENSIVE option is enabled." So new explicit call to sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL) in applications wanting additional protection will be needed.