In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c. References: https://sqlite.org/src/info/b3fa58dd7403dbd4 https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114382.html https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114394.html
Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1692366]
Statement: This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for fts5.
Upstream patch: https://sqlite.org/src/info/b3fa58dd7403dbd4