All errata/c10f2/ALT-PU-2025-10069-4
ALT-PU-2025-10069-4

Package update sqlite3 in branch c10f2

Version3.50.4-alt1
Task#391698
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (14)

BDU:2021-05231
HIGH7.5

Уязвимость функции idxGetTableInfo компонента командной строки встраиваемой СУБД SQLite, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-10-29Modified: 2023-11-13
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2022-06495
CRITICAL9.8

Уязвимость API-библиотеки системы управления базами данных SQLite, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

Published: 2022-10-28Modified: 2025-09-05
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2024-00480
HIGH7.3

Уязвимость функции sessionReadRecord файла ext/session/sqlite3session.c системы управления базами данных SQLite, позволяющая нарушителю оказать влияние на конфиденциальность, целостность и доступность

Published: 2024-01-19Modified: 2026-01-20
CVSS 3.xHIGH 7.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2025-06404
HIGH7.5

Уязвимость функции SQL concat_ws() системы управления базами данных SQLite, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-06-05Modified: 2026-03-04
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-08786
MEDIUM5.0

Уязвимость компонента Aggregate Term Handler системы управления базами данных SQLite, позволяющая нарушителю оказать влияние на конфиденциальность, целостность и доступность

Published: 2025-07-22Modified: 2026-03-04
CVSS 3.xMEDIUM 5.0
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:P
References
BDU:2025-14107
HIGH7.3

Уязвимость функции concat_ws() системы управления базами данных SQLite, позволяющая нарушителю выполнить произвольный код

Published: 2025-11-14
CVSS 3.xHIGH 7.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
CVE-2021-36690
HIGH7.5

A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

Published: 2021-08-24Modified: 2025-11-03
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2022-35737
HIGH7.5

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Published: 2022-08-03Modified: 2026-02-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2023-7104
HIGH7.3

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Published: 2023-12-29Modified: 2025-11-03
CVSS 2.0MEDIUM 5.2
CVSS:2.0/AV:A/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References
CVE-2025-29087
HIGH7.5

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

Published: 2025-04-07Modified: 2025-04-30
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-3277
MEDIUM6.9

An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.

Published: 2025-04-14Modified: 2025-08-18
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0MEDIUM 6.9
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-6965
HIGH7.2

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Published: 2025-07-15Modified: 2026-04-14
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 7.2
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
References
GHSA-jw36-hf63-69r9
HIGH7.5

`libsqlite3-sys` via C SQLite improperly validates array index

Published: 2022-08-04Modified: 2024-03-27
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References

Closed bugs (2)

Bug #45289

Не работает параметр echo