[3.7] sqlite: Multiple vulnerabilities (CVE-2019-5018, CVE-2019-8457)
CVE-2019-5018: use-after-free in window function leading to remote code execution
An exploitable use after free vulnerability exists in the window
function functionality of Sqlite3 3.26.0. A specially crafted SQL
command can cause a use
after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
CVE-2019-8457: heap out-of-bound read in function rtreenode()
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap
read in the rtreenode() function when handling invalid rtree tables.
(from redmine: issue id 10540, created on 2019-06-05)
- parent #10537