The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SQLite: NULL pointer dereference via CREATE TABLE AS

Synthesis of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via CREATE TABLE AS of SQLite, in order to trigger a denial of service.
Vulnerable software: Debian, Fedora, Juniper EX-Series, Juniper J-Series, Junos OS, MX-Series, PTX-Series, QFX-Series, SRX-Series, openSUSE Leap, Oracle DB, Solaris, SQLite, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this announce: 2/4.
Creation date: 19/03/2018.
Références of this computer vulnerability: bulletinjul2018, cpuoct2020, CVE-2018-8740, DLA-1633-1, DLA-2340-1, FEDORA-2018-07e15ad5a5, FEDORA-2018-aace372c3f, FEDORA-2019-49f80a78bc, JSA11055, openSUSE-SU-2019:1426-1, SUSE-SU-2019:1208-1, SUSE-SU-2019:14228-1, SUSE-SU-2019:1522-1, USN-4205-1, VIGILANCE-VUL-25573.

Description of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via CREATE TABLE AS of SQLite, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat note impacts software or systems such as Debian, Fedora, Juniper EX-Series, Juniper J-Series, Junos OS, MX-Series, PTX-Series, QFX-Series, SRX-Series, openSUSE Leap, Oracle DB, Solaris, SQLite, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability note.

Solutions for this threat 

SQLite: patch for CREATE TABLE AS.
A patch is indicated in information sources.

Debian 8: new sqlite3 packages.
New packages are available:
  Debian 8: sqlite3 3.8.7.1-1+deb8u4

Debian 9: new sqlite3 packages.
New packages are available:
  Debian 9: sqlite3 3.16.2-5+deb9u2

Fedora 29: new mingw-sqlite packages.
New packages are available:
  Fedora 29: mingw-sqlite 3.26.0.0-1.fc29

Fedora: new sqlite packages.
New packages are available:
  Fedora 26: sqlite 3.20.1-2.fc26
  Fedora 27: sqlite 3.20.1-2.fc27

Junos OS: fixed versions for SQLite.
Fixed versions are indicated in information sources.

openSUSE Leap 42.3: new sqlite3 packages.
New packages are available:
  openSUSE Leap 42.3: libsqlite3-0 3.8.10.2-11.7.1, sqlite3 3.8.10.2-11.7.1

Oracle Database: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle Solaris: patch for third party software of July 2018 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11 SP3: new sqlite3 packages.
New packages are available:
  SUSE LE 11 SP3: sqlite3 3.6.4-4.8.1

SUSE LE 12: new sqlite3 packages (13/05/2019).
New packages are available:
  SUSE LE 12 SP4: sqlite3 3.8.10.2-9.6.1
  SUSE LE 12 SP3: sqlite3 3.8.10.2-9.6.1

SUSE LE 12: new sqlite3 packages (18/06/2019).
New packages are available:
  SUSE LE 12 RTM: sqlite3 3.8.3.1-2.12.1

Ubuntu: new sqlite3 packages.
New packages are available:
  Ubuntu 19.10: libsqlite3-0 3.29.0-2ubuntu0.1, sqlite3 3.29.0-2ubuntu0.1
  Ubuntu 19.04: libsqlite3-0 3.27.2-2ubuntu0.2, sqlite3 3.27.2-2ubuntu0.2
  Ubuntu 18.04 LTS: libsqlite3-0 3.22.0-1ubuntu0.2, sqlite3 3.22.0-1ubuntu0.2
  Ubuntu 16.04 LTS: libsqlite3-0 3.11.0-1ubuntu1.3, sqlite3 3.11.0-1ubuntu1.3
  Ubuntu 12.04 ESM: libsqlite3-0 3.7.9-2ubuntu1.4, sqlite3 3.7.9-2ubuntu1.4
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerability patches. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.