|Related CVEs||CVE-2017-2518 CVE-2018-8740 CVE-2018-20346|
Sqlite3 is vulnerable to a NULL pointer dereference when using databases that have been corrupted with 'CREATE TABLE AS' statements. An attacker could exploit this with a crafted database file to trigger a crash and resulting denial of service.
An attacker who is able to run arbitrary SQL statements could use this flaw to corrupt the internal databases when the FTS3 extension is enabled, which can lead to arbitrary code execution as the user running sqlite.
A use-after-free vulnerability may allow remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted SQL statement.
For Debian 7 Wheezy, these problems have been fixed in version 3.7.13-1+deb7u5.
We recommend that you upgrade your sqlite3 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/