search

sqlcipher / android-database-sqlcipher

Android SQLite API based on SQLCipher
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
Other
2.73k stars 564 forks source link

Vulnerability in SQLite3.39.2 BDSA-2023-3555 #639

Closed sankar-gp closed 4 months ago

sankar-gp commented 4 months ago

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

[BDSA-2023-3555]

Description SQLite is vulnerable to an out-of-bounds memory access issue due to a lack of sufficient input validation in the sessionReadRecord() function.

An attacker could submit a crafted input in order to trigger the flaw which could allow for a 1-byte out-of-bounds read to occur which could lead to information being leaked from memory, or cause instability which could result in a denial-of-service (DoS).

developernotes commented 4 months ago

Hi @sankar-gp,

Thanks for your interest in SQLCipher. Unfortunately, we do not have access to the security advisory you linked to, however, the description sounds similar to CVE-2023-7104 ^1. Please note that this issue is isolated to the session extension, so if your application is not using that extension within SQLCipher, your application would not be affected. We are in the process of preparing the next public SQLCipher release which will be based on upstream SQLite 3.44.2.