Vulnerability in SQLite3.39.2 CVE-2022-46908

[sankar-gp]

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

CVE-2022-46908

Description
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.

[sjlombardo]

Hello @sankar-gp

We're aware of this issue. The SQLite team has fixed it in source control but has not yet published an official release with the change. Based on this discussion it may be some time until it is included in a release.

It's worth noting that this issue would only affect applications using the command line shell to process untrusted SQL scripts using the --safe flag. As a result, this issue is extremely unlikely to affect users. The official statement from the SQLite security page says "It is not serious. It is debatable whether or not this is a security issue." The original submitter is actually petitioning NIST to have the CVE severity downgraded based on this.

Given these factors, the fix for this issue will be included once the change appears in an official SQLite release, and once we update SQLCipher to use that version as a baseline.

I will keep this ticket open for now to facilitate tracking.

[sankar-gp]

Hi @sjlombardo

Any update on this issue? If you can provide a tentative release date, it would be helpful.

Thanks!

[developernotes]

Hello @sankar-gp,

We just released SQLCipher 4.5.3 on 12-19-2022. The 4.5.3 release is based on SQLite upstream 3.39.4.

The thread linked above also links to the fix. SQLCipher will include this fix if it is included in the next upstream release merged in. We do not have a timeframe available at the moment for our next release however.

[brody4hire]

I suspect this should be fixed in SQLite 3.40.1:

• https://sqlite.org/releaselog/3_40_1.html

[sankar-gp]

Hi @developernotes / @sjlombardo @billymeltdown Any update on this issue?

[sjlombardo]

Hello @sankar-gp - To recap, CVE-2022-46908 does not impact the SQLCipher or SQLite libraries at all. It only affects the command line shell, which is not included in the SQLCipher for Android packages. Thus, there is no impact for any Android applications using SQLCipher as an embedded library and associated warnings should be treated as false positives.

The next release of SQLCipher will be based on a newer version of SQLite, version 3.40.1 or higher, but we do not have a published timeline for a new release right now.