The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVE Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13685
Upstream Bug: http://email@example.com/msg105314.html
Please keep in mind that stabilizing sqlite 3.20 would very likely break stable app-misc/tracker functionality. I hope we can coordinate in a way stable tracker users won't have issues. Me and EvaSDK should be available for such on IRC; might be easier to backport any fix for starters instead of stabilizing 3.20, but maybe we can get newer tracker stable together with sqlite 3.20 if needed and verified it's fine.
"This is a problem in the command-line shell program, not the the core SQLite library."
So it does not seem like a real security vulnerability.
@maintainer(s), please test patches and call for stable if possible.
[The ".dump" comman crashes following PRAGMA empty_result_callbacks=1]