SUSE update for sqlite3

1) Memory leak

EUVDB-ID: #VU24065

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20218

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak within the selectExpander() function in select.c in SQLite, caused by incorrect exception handling, related to stack unwinding. A remote attacker can trigger with ability to modify the WITH SQL query can gain access to potentially sensitive information.

Mitigation

Update the affected package sqlite3 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Point of Sale: 11-SP3

SUSE Linux Enterprise Debuginfo: 11-SP4

SUSE Linux Enterprise Server: 11-SP4-LTSS

sqlite3-debuginfo: before 3.7.6.3-1.4.7.15.1

libsqlite3-0-32bit: before 3.7.6.3-1.4.7.15.1

sqlite3: before 3.7.6.3-1.4.7.15.1

libsqlite3-0: before 3.7.6.3-1.4.7.15.1

External links

http://www.suse.com/support/update/announcement/2021/suse-su-202114771-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.