Bug 1131560 (CVE-2018-20505)

Summary: VUL-1: CVE-2018-20505: sqlite3: SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause DOS
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Reinhard Max <max>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/228738/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2019-04-04 13:29:21 UTC
After code review it was found that none of our codestreams is affected.
Going through the version changes it seems that this vulnerability introduced in version 3.22.0 and fixed in version 3.26.0. The fix was also back-ported in version 3.25.3.

Regarding our codestreams: 
SLE15 ships an already fixed version of sqlite3
All the other codestreams are older and are not affected. 

Regarding openSUSE: 

TW ships an already fixed version 
LEAP 15 is currently vulnerable but an update will be soon published (release request has already been created [1])
LEAP 42.3 is not affected


[1] https://build.opensuse.org/request/show/689425