search

sqlcipher / android-database-sqlcipher

Android SQLite API based on SQLCipher
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
Other
2.73k stars 564 forks source link

Vulnerability in SQLite3.39.2 CVE-2024-0232 #641

Closed sankar-gp closed 3 months ago

sankar-gp commented 3 months ago

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

CVE-2024-0232

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

developernotes commented 3 months ago

Hello @sankar-gp,

This issue was addressed in SQLite upstream 3.43.2. The latest SQLCipher release, 4.5.6 is based on SQLite upstream 3.44.2. Please note that we stopped releasing Community builds of android-database-sqlcipher with 4.5.4 which is based on SQLite upstream 3.41.2. Our long-term supported replacement for android-database-sqlcipher is sqlcipher-android. If you are a Commercial customer using android-database-sqlcipher, please feel free to reach out directly at support@zetetic.net.

sankar-gp commented 3 months ago

Does this issue Vulnerability our application?

developernotes commented 3 months ago

Hi @sankar-gp,

If your application is using SQLite 3.39.2, via SQLCipher 4.5.2 we would recommend you update your library.

sankar-gp commented 3 months ago

We are using 'net.zetetic:android-database-sqlcipher:4.5.3@aar' and 'net.zetetic:android-database-sqlcipher:4.5.4@aar' versions in our app

sjlombardo commented 3 months ago

@sankar-gp - it appears you have cross-posted this issue in several places, please reference our response to your question on the SQLCipher Discussion Site.