Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in SQLite3.39.2 CVE-2022-46908 #606

Open
sankar-gp opened this issue Dec 15, 2022 · 6 comments
Open

Vulnerability in SQLite3.39.2 CVE-2022-46908 #606

sankar-gp opened this issue Dec 15, 2022 · 6 comments

Comments

@sankar-gp
Copy link

sankar-gp commented Dec 15, 2022
edited
Loading

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

CVE-2022-46908

Description
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
@sjlombardo
Copy link
Member

Hello @sankar-gp

We're aware of this issue. The SQLite team has fixed it in source control but has not yet published an official release with the change. Based on this discussion it may be some time until it is included in a release.

It's worth noting that this issue would only affect applications using the command line shell to process untrusted SQL scripts using the --safe flag. As a result, this issue is extremely unlikely to affect users. The official statement from the SQLite security page says "It is not serious. It is debatable whether or not this is a security issue." The original submitter is actually petitioning NIST to have the CVE severity downgraded based on this.

Given these factors, the fix for this issue will be included once the change appears in an official SQLite release, and once we update SQLCipher to use that version as a baseline.

I will keep this ticket open for now to facilitate tracking.

@sankar-gp
Copy link
Author

Hi @sjlombardo

Any update on this issue? If you can provide a tentative release date, it would be helpful.

Thanks!

@developernotes
Copy link
Member

Hello @sankar-gp,

We just released SQLCipher 4.5.3 on 12-19-2022. The 4.5.3 release is based on SQLite upstream 3.39.4.

The thread linked above also links to the fix. SQLCipher will include this fix if it is included in the next upstream release merged in. We do not have a timeframe available at the moment for our next release however.

@brodycj
Copy link
Contributor

brodycj commented Dec 29, 2022

I suspect this should be fixed in SQLite 3.40.1:

@sankar-gp
Copy link
Author

Hi @developernotes / @sjlombardo @billymeltdown Any update on this issue?

@sjlombardo
Copy link
Member

Hello @sankar-gp - To recap, CVE-2022-46908 does not impact the SQLCipher or SQLite libraries at all. It only affects the command line shell, which is not included in the SQLCipher for Android packages. Thus, there is no impact for any Android applications using SQLCipher as an embedded library and associated warnings should be treated as false positives.

The next release of SQLCipher will be based on a newer version of SQLite, version 3.40.1 or higher, but we do not have a published timeline for a new release right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@developernotes @sjlombardo @brodycj @sankar-gp