Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760690 (CVE-2020-27207) - <dev-db/sqlcipher-4.5.1: use after free leading to DoS (CVE-2020-27207)
Summary: <dev-db/sqlcipher-4.5.1: use after free leading to DoS (CVE-2020-27207)
Alias: CVE-2020-27207
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: 836922 837008
  Show dependency tree
Reported: 2020-12-19 03:29 UTC by John Helmert III
Modified: 2022-04-11 07:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 03:29:26 UTC
CVE-2020-27207 (

Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.

Maintainer, please bump to 4.4.1.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:25:02 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:33:34 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:41:27 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:49:36 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:05:31 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:13:49 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Till Schäfer 2022-01-04 10:40:39 UTC
Simply renaming the latest ebuild to the 4.5.0 works like a charm here.
Comment 8 Sergey Popov gentoo-dev 2022-04-05 10:23:32 UTC
Arches, please test and mark stable:

Thanks in advance
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-06 13:54:01 UTC
No, stabilizations are not done in security bugs anymore, as announced here:

Please also remember to use Bug: tags to associate the security bump to the security bug.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 13:52:16 UTC
Please cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2022-04-11 07:01:04 UTC
The bug has been referenced in the following commit(s):

commit ff28e488512db2d448a46dd2144a846399904cc7
Author:     Sergey Popov <>
AuthorDate: 2022-04-11 07:00:16 +0000
Commit:     Sergey Popov <>
CommitDate: 2022-04-11 07:00:29 +0000

    dev-dv/sqlcipher: drop old vulnerable version
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Sergey Popov <>

 dev-db/sqlcipher/Manifest               |  1 -
 dev-db/sqlcipher/sqlcipher-4.0.1.ebuild | 70 ---------------------------------
 2 files changed, 71 deletions(-)