SQLite 3.40.1 with security fix

[alameenshah]

Hello... New vulnerability reported on SQLite versions through 3.40.0 - CVE-2022-46908.

Could we update to version 3.40.1, please...

[ericsink]

From a brief reading of the details, it looks like this vulnerability is confined to the CLI, which I don't include. It's not related to the core SQLite libary.

My favorite snippet from the sqlite forum thread at https://sqlite.org/forum/forumpost/07beac8056151b2f :

This is a very different sort of risk than is presented by exploitable malfunctions in the core SQLite library. Calling this one a "CVE" is yet another degradation of the CVE system's value.

[alameenshah]

That makes sense, Thank you for checking Eric.

At work though, this CVE got flagged as a blocker by the BlackDuck security scanner. Looking at my options: 1) In case you usually pick SQLite updates quite often, then may be I can wait? 2) To upgrade SQLitePCL.raw to use the new SQLite, can I just create a PR against https://github.com/ericsink/cb with the new amalgamated SQLite sources? Like this commit? Or is it more involved than that? Assuming I don’t break anything else, would you be able to review and consider accepting the PR?

[ericsink]

I'll try to update the SQLite build soon, but I recommend not submitting the PR you described. The process involves much more than that, so the PR wouldn't make it happen any faster.

[ericsink]

SQLitePCLRaw 2.1.4 is now available on nuget.org. The e_sqlite3 builds have been updated to 3.40.1. You may wish to think of this release as a workaround for the bug in BlackDuck. ;-)

[alameenshah]

SQLitePCLRaw 2.1.4 is now available on nuget.org. The e_sqlite3 builds have been updated to 3.40.1. You may wish to think of this release as a workaround for the bug in BlackDuck. ;-)

Awesome... Thank you Eric!