SUSE-SU-2022:3401-1: moderate: Security update for sqlite3

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Sep 26 19:25:14 UTC 2022


   SUSE Security Update: Security update for sqlite3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3401-1
Rating:             moderate
References:         #1189802 #1195773 #1201783 
Cross-References:   CVE-2021-36690 CVE-2022-35737
CVSS scores:
                    CVE-2021-36690 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-36690 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-35737 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-35737 (SUSE): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that solves two vulnerabilities and has one
   errata is now available.

Description:

   This update for sqlite3 fixes the following issues:

   Security issues fixed:

   - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are
     used in a string argument to a C API (bnc#1201783).
   - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a
     column has no collating sequence (bsc#1189802).

   - Package the Tcl bindings here again so that we only ship one copy of
     SQLite (bsc#1195773).

   sqlite3 was update to 3.39.3:

   * Use a statement journal on DML statement affecting two or more database
     rows if the statement makes use of a SQL functions that might abort.
   * Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA
     data_store_directory statements, even though they are decremented and
     documented as not being threadsafe.

   Update to 3.39.2:

   * Fix a performance regression in the query planner associated with
     rearranging the order of FROM clause terms in the presences of a LEFT
     JOIN.
   * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum
     post 3607259d3c, and other minor problems discovered by internal
     testing. [boo#1201783]

   Update to 3.39.1:

   * Fix an incorrect result from a query that uses a view that contains a
     compound SELECT in which only one arm contains a RIGHT JOIN and where
     the view is not the first FROM clause term
     of the query that contains the view
   * Fix a long-standing problem with ALTER TABLE RENAME that can
     only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a
      very small value.
   * Fix a long-standing problem in FTS3 that can only arise when compiled
     with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
     option.
   * Fix the initial-prefix optimization for the REGEXP extension so that it
     works correctly even if the prefix contains characters that require a
     3-byte UTF8 encoding.
   * Enhance the sqlite_stmt virtual table so that it buffers all of its
     output.

   Update to 3.39.0:

   * Add (long overdue) support for RIGHT and FULL OUTER JOIN
   * Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT
     FROM that are equivalent to IS and IS NOT, respective, for compatibility
     with PostgreSQL and SQL standards
   * Add a new return code (value "3") from the sqlite3_vtab_distinct()
     interface that indicates a query that has both DISTINCT and ORDER BY
     clauses
   * Added the sqlite3_db_name() interface
   * The unix os interface resolves all symbolic links in database filenames
     to create a canonical name for the database before the file is opened
   * Defer materializing views until the materialization is actually needed,
     thus avoiding unnecessary work if the materialization turns out to never
     be used
   * The HAVING clause of a SELECT statement is now allowed on any aggregate
     query, even queries that do not have a GROUP BY clause
   * Many microoptimizations collectively reduce CPU cycles by about 2.3%.

   Update to 3.38.5:

   * Fix a blunder in the CLI of the 3.38.4 release

   Update to 3.38.4:

   * fix a byte-code problem in the Bloom filter pull-down
     optimization added by release 3.38.0 in which an error in the byte code
      causes the byte code engine to enter an infinite loop when the
      pull-down optimization encounters a NULL key

   Update to 3.38.3:

   * Fix a case of the query planner be overly aggressive with
     optimizing automatic-index and Bloom-filter construction, using
      inappropriate ON clause terms to restrict the size of the
      automatic-index or Bloom filter, and resulting in missing rows in the
      output.
   * Other minor patches. See the timeline for details.

   Update to 3.38.2:

   * Fix a problem with the Bloom filter optimization that might cause an
     incorrect answer when doing a LEFT JOIN with a WHERE clause constraint
     that says that one of the columns on the right table of the LEFT JOIN is
     NULL.
   * Other minor patches.

   - Package the Tcl bindings here again so that we only ship one copy
   of SQLite (bsc#1195773).

   Update to 3.38.1:

   * Fix problems with the new Bloom filter optimization that might cause
     some obscure queries to get an incorrect answer.
   * Fix the localtime modifier of the date and time functions so that it
     preserves fractional seconds.
   * Fix the sqlite_offset SQL function so that it works correctly even in
     corner cases such as when the argument is a virtual column or the column
     of a view.
   * Fix row value IN operator constraints on virtual tables so that they
     work correctly even if the virtual table implementation relies on
     bytecode to filter rows that do not satisfy the constraint.
   * Other minor fixes to assert() statements, test cases, and documentation.
     See the source code timeline for details.

   Update to 3.38.0

   * Add the -> and ->> operators for easier processing of JSON
   * The JSON functions are now built-ins
   * Enhancements to date and time functions
   * Rename the printf() SQL function to format() for better compatibility,
     with alias for backwards compatibility.
   * Add the sqlite3_error_offset() interface for helping localize an SQL
     error to a specific character in the input SQL text
   * Enhance the interface to virtual tables
   * CLI columnar output modes are enhanced to correctly handle tabs and
     newlines embedded in text, and add options like "--wrap N", "--wordwrap
     on", and "--quote" to the columnar output modes.
   * Query planner enhancements using a Bloom filter to speed up large
     analytic queries, and a balanced merge tree to evaluate UNION or UNION
     ALL compound SELECT statements that have an ORDER BY clause.
   * The ALTER TABLE statement is changed to silently ignores entries in the
     sqlite_schema table that do not parse when PRAGMA writable_schema=ON

   Update to 3.37.2:

   * Fix a bug introduced in version 3.35.0 (2021-03-12) that can cause
     database corruption if a SAVEPOINT is rolled back while in PRAGMA
     temp_store=MEMORY mode, and other changes are made, and then the outer
     transaction commits
   * Fix a long-standing problem with ON DELETE CASCADE and ON UPDATE CASCADE
     in which a cache of the bytecode used to implement the cascading change
     was not being reset following a local DDL change

   Update to 3.37.1:

   * Fix a bug introduced by the UPSERT enhancements of version 3.35.0 that
     can cause incorrect byte-code to be generated for some obscure but valid
     SQL, possibly resulting in a NULL- pointer dereference.
   * Fix an OOB read that can occur in FTS5 when reading corrupt database
     files.
   * Improved robustness of the --safe option in the CLI.
   * Other minor fixes to assert() statements and test cases.

   Update to 3.37.0:

   * STRICT tables provide a prescriptive style of data type management, for
     developers who prefer that kind of thing.
   * When adding columns that contain a CHECK constraint or a generated
     column containing a NOT NULL constraint, the ALTER TABLE ADD COLUMN now
     checks new constraints against preexisting rows in the database and will
     only proceed if no constraints are violated.
   * Added the PRAGMA table_list statement.
   * Add the .connection command, allowing the CLI to keep multiple database
     connections open at the same time.
   * Add the --safe command-line option that disables dot-commands and SQL
     statements that might cause side-effects that extend beyond the single
     database file named on the command-line.
   * CLI: Performance improvements when reading SQL statements that span many
     lines.
   * Added the sqlite3_autovacuum_pages() interface.
   * The sqlite3_deserialize() does not and has never worked for the TEMP
     database. That limitation is now noted in the documentation.
   * The query planner now omits ORDER BY clauses on subqueries and views if
     removing those clauses does not change the semantics
     of the query.
   * The generate_series table-valued function extension is modified so that
     the first parameter ("START") is now required. This is done as a way to
     demonstrate how to write table-valued functions with required
     parameters. The legacy behavior is available using the
     -DZERO_ARGUMENT_GENERATE_SERIES compile-time option.
   * Added new sqlite3_changes64() and sqlite3_total_changes64() interfaces.
   * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
   * Use less memory to hold the database schema.
   * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
     extension when a column has no collating sequence.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3401=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3401=1

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-3401=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3401=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3401=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3401=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3401=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-3401=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE OpenStack Cloud 9 (x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):

      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):

      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):

      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      libsqlite3-0-3.39.3-9.23.1
      libsqlite3-0-32bit-3.39.3-9.23.1
      libsqlite3-0-debuginfo-3.39.3-9.23.1
      libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
      sqlite3-3.39.3-9.23.1
      sqlite3-debuginfo-3.39.3-9.23.1
      sqlite3-debugsource-3.39.3-9.23.1
      sqlite3-devel-3.39.3-9.23.1
      sqlite3-tcl-3.39.3-9.23.1


References:

   https://www.suse.com/security/cve/CVE-2021-36690.html
   https://www.suse.com/security/cve/CVE-2022-35737.html
   https://bugzilla.suse.com/1189802
   https://bugzilla.suse.com/1195773
   https://bugzilla.suse.com/1201783



More information about the sle-security-updates mailing list