| Message ID | 20201210220853.375772-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/sqlcipher: security bump to version 4.4.2 | expand |
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a > use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in > sqlite3.c. A remote denial of service attack can be performed. For > example, a SQL injection can be used to execute the crafted SQL command > sequence. After that, some unexpected RAM data is read. > https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed, thanks.
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a > use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in > sqlite3.c. A remote denial of service attack can be performed. For > example, a SQL injection can be used to execute the crafted SQL command > sequence. After that, some unexpected RAM data is read. > https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2020.02.x, 2020.08.x and 2020.11.x, thanks.
diff --git a/package/sqlcipher/sqlcipher.hash b/package/sqlcipher/sqlcipher.hash index c37db7a20a..96a6a74013 100644 --- a/package/sqlcipher/sqlcipher.hash +++ b/package/sqlcipher/sqlcipher.hash @@ -1,3 +1,3 @@ # locally computed -sha256 fccb37e440ada898902b294d02cde7af9e8706b185d77ed9f6f4d5b18b4c305f sqlcipher-4.3.0.tar.gz +sha256 87458e0e16594b3ba6c7a1f046bc1ba783d002d35e0e7b61bb6b7bb862f362a7 sqlcipher-4.4.2.tar.gz sha256 3eee3c7964a9becc94d747bd36703d31fc86eb994680b06a61bfd4f2661eaac8 LICENSE diff --git a/package/sqlcipher/sqlcipher.mk b/package/sqlcipher/sqlcipher.mk index 14290745aa..5a9a77c1ee 100644 --- a/package/sqlcipher/sqlcipher.mk +++ b/package/sqlcipher/sqlcipher.mk @@ -4,7 +4,7 @@ # ################################################################################ -SQLCIPHER_VERSION = 4.3.0 +SQLCIPHER_VERSION = 4.4.2 SQLCIPHER_SITE = $(call github,sqlcipher,sqlcipher,v$(SQLCIPHER_VERSION)) SQLCIPHER_LICENSE = BSD-3-Clause SQLCIPHER_LICENSE_FILES = LICENSE
Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read. https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/sqlcipher/sqlcipher.hash | 2 +- package/sqlcipher/sqlcipher.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)