Security update for sqlite3

Announcement ID:	SUSE-SU-2021:3215-1
Rating:	important
References:	bsc#1157818 bsc#1158812 bsc#1158958 bsc#1158959 bsc#1158960 bsc#1159491 bsc#1159715 bsc#1159847 bsc#1159850 bsc#1160309 bsc#1160438 bsc#1160439 bsc#1164719 bsc#1172091 bsc#1172115 bsc#1172234 bsc#1172236 bsc#1172240 bsc#1173641 bsc#928700 bsc#928701 jsc#SLE-16032
Cross-References:	CVE-2015-3414 CVE-2015-3415 CVE-2016-6153 CVE-2017-10989 CVE-2017-2518 CVE-2018-20346 CVE-2018-8740 CVE-2019-16168 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-8457 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-9327
CVSS scores:	CVE-2015-3414 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2015-3415 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2016-6153 ( NVD ): 5.9 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2017-10989 ( SUSE ): 3.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2017-10989 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-2518 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-2518 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20346 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-20346 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-8740 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-8740 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-16168 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-16168 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-19244 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19244 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19317 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-19317 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19603 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19603 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19645 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19645 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-19646 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19646 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19880 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19923 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19923 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19924 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-19924 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-19925 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2019-19925 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19926 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19926 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19959 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2019-19959 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-20218 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20218 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-8457 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2019-8457 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-8457 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-13434 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-13434 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-13435 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-13435 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-13630 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2020-13630 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-13631 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2020-13631 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2020-13632 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2020-13632 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-15358 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2020-15358 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-9327 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2020-9327 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	HPE Helion OpenStack 8 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9

An update that solves 28 vulnerabilities and contains one feature can now be installed.

Description:

This update for sqlite3 fixes the following issues:

sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).

The following CVEs have been fixed in upstream releases up to this point, but were not mentioned in the change log so far:

bsc#1173641, CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization
bsc#1164719, CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator
bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error
bsc#1160438, CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input
bsc#1160309, CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference
bsc#1159850, CVE-2019-19924: improper error handling in sqlite3WindowRewrite()
bsc#1159847, CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive
bsc#1159715, CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c
bsc#1159491, CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name
bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns
bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements
bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service
bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage
bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability
bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names
CVE-2020-13434 bsc#1172115: integer overflow in sqlite3_str_vappendf
CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed to one of its shadow tables
CVE-2020-13632 bsc#1172240: NULL pointer dereference via crafted matchinfo() query
CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

HPE Helion OpenStack 8
zypper in -t patch HPE-Helion-OpenStack-8-2021-3215=1
SUSE OpenStack Cloud 8
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3215=1
SUSE OpenStack Cloud 9
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3215=1
SUSE OpenStack Cloud Crowbar 8
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3215=1
SUSE OpenStack Cloud Crowbar 9
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3215=1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3215=1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3215=1
SUSE Linux Enterprise Software Development Kit 12 SP5
zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3215=1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3215=1
SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3215=1
SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2021-3215=1
SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3215=1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2021-3215=1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3215=1
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1

Package List:

HPE Helion OpenStack 8 (x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE OpenStack Cloud 8 (x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE OpenStack Cloud 9 (x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE OpenStack Cloud Crowbar 8 (x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE OpenStack Cloud Crowbar 9 (x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
- libsqlite3-0-debuginfo-3.36.0-9.18.1
- libsqlite3-0-3.36.0-9.18.1
- sqlite3-debugsource-3.36.0-9.18.1
- sqlite3-3.36.0-9.18.1
- sqlite3-devel-3.36.0-9.18.1
- sqlite3-debuginfo-3.36.0-9.18.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3 (x86_64)
- libsqlite3-0-32bit-3.36.0-9.18.1
- libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1