Bug 1659363

Summary: sqlite: Multiple security flaws in sqlite triggered via corrupted database files (Magellan)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-15 04:35:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Huzaifa S. Sidhpurwala 2018-12-14 08:11:33 UTC 
As per: 

https://blade.tencent.com/magellan/index_en.html
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

Multiple flaws were found in sqlite. An attacker who could run arbitrary SQL command, could corrupt the internal databases and execute arbitrary code as the user running the application.

Upstream release sqlite-3.25.3 to address the changes:
https://www.sqlite.org/releaselog/3_25_3.html

Also sqlite-3.26 introduces defense-in-depth changes. This needs to be enabled by setting SQLITE_DBCONFIG_DEFENSIVE in the config file. This may break compatibility with certain applications which try to write to sqlite internal database files.
https://www.sqlite.org/releaselog/3_26_0.html
https://sqlite.org/src/info/11d98414eac467af
Comment 2 Huzaifa S. Sidhpurwala 2018-12-15 04:35:38 UTC 

*** This bug has been marked as a duplicate of bug 1659379 ***