Operating System:

[SUSE]

Published:

28 September 2022

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4783
                        Security update for sqlite3
                             28 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           sqlite3
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-35737 CVE-2021-36690 

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2022/suse-su-20223401-1

Comment: CVSS (Max):  6.3 CVE-2022-35737 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for sqlite3

______________________________________________________________________________

Announcement ID:   SUSE-SU-2022:3401-1
Rating:            moderate
References:        #1189802 #1195773 #1201783
Cross-References:  CVE-2021-36690 CVE-2022-35737
Affected Products:
                   SUSE Linux Enterprise Server 12-SP2-BCL
                   SUSE Linux Enterprise Server 12-SP3-BCL
                   SUSE Linux Enterprise Server 12-SP4-LTSS
                   SUSE Linux Enterprise Server 12-SP5
                   SUSE Linux Enterprise Server for SAP 12-SP4
                   SUSE Linux Enterprise Server for SAP Applications 12-SP5
                   SUSE Linux Enterprise Software Development Kit 12-SP5
                   SUSE OpenStack Cloud 9
                   SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

An update that solves two vulnerabilities and has one errata is now available.

Description:

This update for sqlite3 fixes the following issues:
Security issues fixed:

  o CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are
    used in a string argument to a C API (bnc#1201783).
  o CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a
    column has no collating sequence (bsc#1189802).


  o Package the Tcl bindings here again so that we only ship one copy of SQLite
    (bsc#1195773).


sqlite3 was update to 3.39.3:

  o Use a statement journal on DML statement affecting two or more database
    rows if the statement makes use of a SQL functions that might abort.
  o Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA
    data_store_directory statements, even though they are decremented and
    documented as not being threadsafe.


Update to 3.39.2:

  o Fix a performance regression in the query planner associated with
    rearranging the order of FROM clause terms in the presences of a LEFT JOIN.
  o Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum
    post 3607259d3c, and other minor problems discovered by internal testing.
    [boo#1201783]


Update to 3.39.1:

  o Fix an incorrect result from a query that uses a view that contains a
    compound SELECT in which only one arm contains a RIGHT JOIN and where the
    view is not the first FROM clause term of the query that contains the view
  o Fix a long-standing problem with ALTER TABLE RENAME that can only arise if
    the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a very small value.
  o Fix a long-standing problem in FTS3 that can only arise when compiled with
    the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time option.
  o Fix the initial-prefix optimization for the REGEXP extension so that it
    works correctly even if the prefix contains characters that require a
    3-byte UTF8 encoding.
  o Enhance the sqlite_stmt virtual table so that it buffers all of its output.


Update to 3.39.0:

  o Add (long overdue) support for RIGHT and FULL OUTER JOIN
  o Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT
    FROM that are equivalent to IS and IS NOT, respective, for compatibility
    with PostgreSQL and SQL standards
  o Add a new return code (value "3") from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and ORDER BY
    clauses
  o Added the sqlite3_db_name() interface
  o The unix os interface resolves all symbolic links in database filenames to
    create a canonical name for the database before the file is opened
  o Defer materializing views until the materialization is actually needed,
    thus avoiding unnecessary work if the materialization turns out to never be
    used
  o The HAVING clause of a SELECT statement is now allowed on any aggregate
    query, even queries that do not have a GROUP BY clause
  o Many microoptimizations collectively reduce CPU cycles by about 2.3%.


Update to 3.38.5:

  o Fix a blunder in the CLI of the 3.38.4 release


Update to 3.38.4:

  o fix a byte-code problem in the Bloom filter pull-down optimization added by
    release 3.38.0 in which an error in the byte code causes the byte code
    engine to enter an infinite loop when the pull-down optimization encounters
    a NULL key


Update to 3.38.3:

  o Fix a case of the query planner be overly aggressive with optimizing
    automatic-index and Bloom-filter construction, using inappropriate ON
    clause terms to restrict the size of the automatic-index or Bloom filter,
    and resulting in missing rows in the output.
  o Other minor patches. See the timeline for details.


Update to 3.38.2:

  o Fix a problem with the Bloom filter optimization that might cause an
    incorrect answer when doing a LEFT JOIN with a WHERE clause constraint that
    says that one of the columns on the right table of the LEFT JOIN is NULL.
  o Other minor patches.


  o Package the Tcl bindings here again so that we only ship one copy of SQLite
    (bsc#1195773).


Update to 3.38.1:

  o Fix problems with the new Bloom filter optimization that might cause some
    obscure queries to get an incorrect answer.
  o Fix the localtime modifier of the date and time functions so that it
    preserves fractional seconds.
  o Fix the sqlite_offset SQL function so that it works correctly even in
    corner cases such as when the argument is a virtual column or the column of
    a view.
  o Fix row value IN operator constraints on virtual tables so that they work
    correctly even if the virtual table implementation relies on bytecode to
    filter rows that do not satisfy the constraint.
  o Other minor fixes to assert() statements, test cases, and documentation.
    See the source code timeline for details.


Update to 3.38.0

  o Add the -> and ->> operators for easier processing of JSON
  o The JSON functions are now built-ins
  o Enhancements to date and time functions
  o Rename the printf() SQL function to format() for better compatibility, with
    alias for backwards compatibility.
  o Add the sqlite3_error_offset() interface for helping localize an SQL error
    to a specific character in the input SQL text
  o Enhance the interface to virtual tables
  o CLI columnar output modes are enhanced to correctly handle tabs and
    newlines embedded in text, and add options like "--wrap N", "--wordwrap
    on", and "--quote" to the columnar output modes.
  o Query planner enhancements using a Bloom filter to speed up large analytic
    queries, and a balanced merge tree to evaluate UNION or UNION ALL compound
    SELECT statements that have an ORDER BY clause.
  o The ALTER TABLE statement is changed to silently ignores entries in the
    sqlite_schema table that do not parse when PRAGMA writable_schema=ON


Update to 3.37.2:

  o Fix a bug introduced in version 3.35.0 (2021-03-12) that can cause database
    corruption if a SAVEPOINT is rolled back while in PRAGMA temp_store=MEMORY
    mode, and other changes are made, and then the outer transaction commits
  o Fix a long-standing problem with ON DELETE CASCADE and ON UPDATE CASCADE in
    which a cache of the bytecode used to implement the cascading change was
    not being reset following a local DDL change


Update to 3.37.1:

  o Fix a bug introduced by the UPSERT enhancements of version 3.35.0 that can
    cause incorrect byte-code to be generated for some obscure but valid SQL,
    possibly resulting in a NULL- pointer dereference.
  o Fix an OOB read that can occur in FTS5 when reading corrupt database files.
  o Improved robustness of the --safe option in the CLI.
  o Other minor fixes to assert() statements and test cases.


Update to 3.37.0:

  o STRICT tables provide a prescriptive style of data type management, for
    developers who prefer that kind of thing.
  o When adding columns that contain a CHECK constraint or a generated column
    containing a NOT NULL constraint, the ALTER TABLE ADD COLUMN now checks new
    constraints against preexisting rows in the database and will only proceed
    if no constraints are violated.
  o Added the PRAGMA table_list statement.
  o Add the .connection command, allowing the CLI to keep multiple database
    connections open at the same time.
  o Add the --safe command-line option that disables dot-commands and SQL
    statements that might cause side-effects that extend beyond the single
    database file named on the command-line.
  o CLI: Performance improvements when reading SQL statements that span many
    lines.
  o Added the sqlite3_autovacuum_pages() interface.
  o The sqlite3_deserialize() does not and has never worked for the TEMP
    database. That limitation is now noted in the documentation.
  o The query planner now omits ORDER BY clauses on subqueries and views if
    removing those clauses does not change the semantics of the query.
  o The generate_series table-valued function extension is modified so that the
    first parameter ("START") is now required. This is done as a way to
    demonstrate how to write table-valued functions with required parameters.
    The legacy behavior is available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  o Added new sqlite3_changes64() and sqlite3_total_changes64() interfaces.
  o Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  o Use less memory to hold the database schema.
  o bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert extension
    when a column has no collating sequence.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE OpenStack Cloud Crowbar 9:
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3401=1
  o SUSE OpenStack Cloud 9:
    zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3401=1
  o SUSE Linux Enterprise Software Development Kit 12-SP5:
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-3401=1
  o SUSE Linux Enterprise Server for SAP 12-SP4:
    zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3401=1
  o SUSE Linux Enterprise Server 12-SP5:
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3401=1
  o SUSE Linux Enterprise Server 12-SP4-LTSS:
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3401=1
  o SUSE Linux Enterprise Server 12-SP3-BCL:
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3401=1
  o SUSE Linux Enterprise Server 12-SP2-BCL:
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-3401=1

Package List:

  o SUSE OpenStack Cloud Crowbar 9 (x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE OpenStack Cloud 9 (x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
    s390x x86_64):
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
  o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1
  o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
       libsqlite3-0-3.39.3-9.23.1
       libsqlite3-0-32bit-3.39.3-9.23.1
       libsqlite3-0-debuginfo-3.39.3-9.23.1
       libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
       sqlite3-3.39.3-9.23.1
       sqlite3-debuginfo-3.39.3-9.23.1
       sqlite3-debugsource-3.39.3-9.23.1
       sqlite3-devel-3.39.3-9.23.1
       sqlite3-tcl-3.39.3-9.23.1


References:

  o https://www.suse.com/security/cve/CVE-2021-36690.html
  o https://www.suse.com/security/cve/CVE-2022-35737.html
  o https://bugzilla.suse.com/1189802
  o https://bugzilla.suse.com/1195773
  o https://bugzilla.suse.com/1201783

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYzOvgckNZI30y1K9AQjMgxAAki4Fl6QbZFyHYTKZ5qdFEIkp3zwyd2pe
qIRddxY9omwoFIu6PoeuhdTxDCgzCGBYjVhYxnRFubV9eTRLaNoFdNwfCoT5plCv
7JmQPHZKm9NNTEVDbS6usZh7APpdBlA9G8YE8h+gRqwzz1zefQwy9yrK7xr3FwqF
NLjFFd1IKuofzOGSkgXB05Jt0L2EVHeAtzDu58GxQpigAo8l9YQWiCYFwlcG4Zi+
1ygzRF5+aIy8Dh5rwZ56fQUGxh6pIk2GvMjzYeei/rFvJes4E8yjfi2aYaM13BEj
W0vUt2E3MTkkfPbSVic6X/AxmbtDSPE6OWmlAuiQETTiuG1e8v6klfWzDM8Q2/hC
VwIHM1EWEBsUFQOA7hXiS1PU8eMTQonkyGJ9LukXqPkgsI8GBXjKkZ0567NlSwm8
mBSiYC/wJHCKPPXSqdqopLuDbNl2b7uCoBB5zjVKm0jXhup8YfOZnUATfiVl1KSb
oPffTgITSqnM12oZOEqalvJ57rZR+eKLH88EAwLKBPDiBSlTSq7Bx/CkWZmjwJFa
FA77gCLcCtXcltBu4R1TLYBvsKSNQ/fwCb9bhpUZT0ED44BqbErhprsTjJdgoEeL
zTy+iK+HywQK3CswiHhu2pLXHS1fFZZ1d9UcLqpfuWTJaRoI5DeaOuN1Ujb++4eO
ZPDDq7UF/+E=
=EdQ4
-----END PGP SIGNATURE-----