Bugzilla – Bug 1130325
VUL-1: CVE-2019-9937: sqlite3: interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference
Last modified: 2021-04-06 18:45:20 UTC
CVE-2019-9937 In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9937 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9937.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937 https://sqlite.org/src/info/45c73deb440496e8 https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114383.html https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114393.html
This only affects SLE-15 and Factory, because fts5 did not yet exist in the SQLite versions on SLE-12 and older.
Only SLE15 and Factory were affected. Factory will be upgraded soon.
SUSE-SU-2019:1127-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1130325,1130326 CVE References: CVE-2019-9936,CVE-2019-9937 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): sqlite3-3.28.0-3.6.1 SUSE Linux Enterprise Module for Basesystem 15 (src): sqlite3-3.28.0-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1372-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1130325,1130326 CVE References: CVE-2019-9936,CVE-2019-9937 Sources used: openSUSE Leap 15.0 (src): sqlite3-3.28.0-lp150.2.6.1
Done