Headline
CVE-2019-16168: SQLite: Timeline
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a “severe division by zero in the query planner.”
100 check-ins
2023-03-23
12:00
Fix #ifdefs that use the wrong preprocessor macro. (Leaf check-in: 0aecf360 user: drh tags: nan-inf)
10:58
The attempt to bring STAT4 up to 100% MC/DC at [55a26c67ed4a3a93] and at [168fa2fb22b8c1ad] are incorrect. Back them out and replace them with a simple NEVER() macro. Error reported by forum post dc4854437b. (Leaf check-in: 76e683c5 user: drh tags: branch-3.41)
10:54
The attempt to bring STAT4 up to 100% MC/DC at [55a26c67ed4a3a93] and at [168fa2fb22b8c1ad] are incorrect. Back them out and replace them with a simple NEVER() macro. Error reported by forum post dc4854437b. (Leaf check-in: 5992370a user: drh tags: trunk)
2023-03-22
20:21
Add the SQLITE_ENABLE_NAN_INF compile-time option which makes the following behavior changes: (1) sqlite3_value_double(NULL) returns NaN, (2) SQLite preserves NaN values rather than converting them to NULL. (3) CAST statements understand “NaN” and “Inf” and make the right conversions. (4) Non-standard JSON is never generated by SQLite JSON routines, but those routines will accept floating point literals "NaN", "Inf", and "-Inf". (check-in: 96ec8306 user: drh tags: nan-inf)
19:57
Internal cleanups in JS code. No functional changes. (check-in: 8fbdf7d1 user: stephan tags: trunk)
16:55
The floating-point-to-text conversion with the zero-padding option now renders NaN as "null". (check-in: ad59fa17 user: drh tags: trunk)
16:37
For consistency, the “.mode json” output from the CLI now renders infinity in the same format as the JSON functions. (check-in: abee339d user: drh tags: trunk)
16:24
The double-to-text conversion renders infinity as 9e999, so that JSON output is compliant and so that values can be round-tripped. (check-in: b52081d0 user: drh tags: trunk)
16:01
In the CLI, the magic parameter :inf and :nan bind floating point values Infinity and NaN, respectively, as an add to testing SQLite’s handling of those quantities. (check-in: c70a61d8 user: drh tags: trunk)
14:51
Update the version number for the TEA tarball to 3.42.0, to match the core. (check-in: 03e6918e user: drh tags: trunk)
13:47
Merge the 3.41.2 patch into the reuse-schema-3.41 subbranch of reuse-schema (Leaf check-in: 995fa4d0 user: drh tags: reuse-schema-3.41)
13:35
Merge the 3.41.2 patches into the bedrock-3.41 subbranch of bedrock. (Leaf check-in: b7a144c4 user: drh tags: bedrock-3.41)
13:25
Merge the 3.41.2 patch into the wal2-3.41 subbranch of wal2. (Leaf check-in: db44f17a user: drh tags: wal2-3.41)
11:56
Version 3.41.2 (check-in: 0d1fc92f user: drh tags: release, branch-3.41, version-3.41.2)
11:12
Increment the version number in the TEA configure script to 3.41.2. (check-in: 2bb74aa5 user: drh tags: branch-3.41)
2023-03-21
14:20
Add ALWAYS() on a branch this is always true now due to [84417bbd144b2197]. (check-in: badf7d0e user: drh tags: trunk)
12:29
Add the fuzzcheck-asan.exe target to the MSVC makefile. (check-in: 0901bc02 user: drh tags: trunk)
11:56
Add the fuzzcheck-asan target to the main posix makefile. (check-in: 55e94add user: drh tags: trunk)
11:27
Fix a valgrind error and potential buffer overread when handling a corrupt database. (check-in: cb8b34fa user: drh tags: branch-3.41)
11:13
Fix a valgrind error and potential buffer overread when handling a corrupt database. (check-in: b1e0cd64 user: dan tags: trunk)
2023-03-20
20:22
Reinsert two NEVER() macros for b-tree branches that were previously needed for [b6a82f3c3b9d89fd] but which are now obsolete due to [73f0036f045bf371]. Later: dbsqlfuzz quickly found new cases for which those two branches are needed. The new test cases have been added to TH3. (Closed-Leaf check-in: 3065dadb user: drh tags: backout)
18:35
Minor change to btreeNext() to facilitate coverage testing. (check-in: 20b3ef04 user: drh tags: trunk)
15:50
Fix a problem causing a cursor to retain an out-of-date cell-info cache when processing a DISTINCT query on values that are identical according to their collation sequence, but different on disk. (check-in: b0281184 user: drh tags: branch-3.41)
14:59
Fix a problem causing a cursor to retain an out-of-date cell-info cache when processing a DISTINCT query on values that are identical according to their collation sequence, but different on disk. Forum post e123e6cde4. (check-in: 1b3abc1d user: dan tags: trunk)
10:43
Back out the extra margin added to the input buffer of the CLI, as it is not needed. (check-in: ac8d1e5d user: drh tags: trunk)
01:59
Fix problems with the sqlite3_error_offset() function and its use in the CLI. (check-in: d5cd6c88 user: drh tags: branch-3.41)
01:55
A better fix for the sqlite3_error_offset() problem on generated columns. (check-in: 770b3e67 user: drh tags: trunk)
00:53
Expression errors in generated columns should not generate non-negative sqlite3_error_offset() returns. Second of two defenses against [33aa4c0de8a62e33]. (check-in: 2adb4e0d user: drh tags: trunk)
00:48
When reporting errors in the CLI, ignore the output of sqlite3_error_offset() if the value returned is clearly out-of-range. One of two lines of defense against [33aa4c0de8a62e33]. (check-in: 26adbb80 user: drh tags: trunk)
2023-03-19
21:53
Increase the size of ref-count values in the pager layer to 64-bits, to avoid any reasonable possiblity of overflowing the counters. (check-in: 824611ad user: drh tags: branch-3.41)
21:48
Increase the size of ref-count values in the pager layer to 64-bits, to avoid any reasonable possiblity of overflowing the counters. There is a performance and memory penality for this. Forum post b741f15a35. (check-in: 6c5d99a8 user: drh tags: trunk)
10:30
Avoid a buffer overread in fts3 that could occur when processing a corrupt record. (check-in: 1f91fe4b user: drh tags: branch-3.41)
2023-03-18
16:12
Avoid a buffer overread in fts3 that could occur when processing a corrupt record. (check-in: 02ac2297 user: dan tags: trunk)
2023-03-17
20:31
Fix json rendering so that it shows positive and negative infinity as 9.0e+999 and -9.0e+999 respectively. (Closed-Leaf check-in: efce4690 user: drh tags: numeric-only-json)
19:18
Add the ability to name functions using one of the join keywords like CROSS FULL INNER LEFT NATURAL OUTER RIGHT. (check-in: 0910b192 user: drh tags: trunk)
19:07
Add test cases for functions named the same as join keywords. (Closed-Leaf check-in: 94944b23 user: drh tags: functions-named-left)
14:22
Fix a potential buffer overread in the recovery extension. (check-in: 78836713 user: dan tags: branch-3.41)
14:18
Fix a potential buffer overread in the recovery extension. (check-in: 0b3b5bf9 user: dan tags: trunk)
12:25
Ensure that an error does not delete the Table object out from under the xConstruct method of a virtual table. dbsqlfuzz 7cc8804a1c6d4e3d554d79096e6ea75a7c1c7d2d (check-in: c5bd0ea3 user: drh tags: branch-3.41)
10:43
Ensure that an error does not delete the Table object out from under the xConstruct method of a virtual table. dbsqlfuzz 7cc8804a1c6d4e3d554d79096e6ea75a7c1c7d2d (check-in: df4928c9 user: drh tags: trunk)
10:30
Increase the version number to 3.41.2 (check-in: 122f12f5 user: drh tags: branch-3.41)
00:42
Add safety margin on the CLI input buffer for tickets [33aa4c0de8a62e33], [b97e6c5e6a91d97f], [2971fbe3f993e95a], and [2971fbe3f993e95a]. (check-in: 741af08a user: drh tags: trunk)
00:10
Fix assert() statements that would (incorrectly) fire if an IF NOT EXISTS trigger that already exists contained two or more RETURNING clauses. (check-in: 9b43b34d user: drh tags: branch-3.41)
00:01
Fix assert() statements that would (incorrectly) fire if an IF NOT EXISTS trigger that already exists contained two or more RETURNING clauses. Tickets [89d259d45b855a0d] and [d15b3a4ea901ef0d]. (check-in: 648899e4 user: drh tags: trunk)
2023-03-16
21:05
Correctly handle SELECT DISTINCT … ORDER BY when all of the result set terms are constant and there are more result set terms than ORDER BY terms. (check-in: 097512b6 user: drh tags: branch-3.41)
20:54
Correctly handle SELECT DISTINCT … ORDER BY when all of the result set terms are constant and there are more result set terms than ORDER BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24], [d6fd512f50513ab7]. (check-in: 12ad822d user: drh tags: trunk)
12:28
Additional debug/test output from the query invariant checker showing the row-number that is being checked. (check-in: e4b6eb58 user: drh tags: trunk)
11:50
Update the tracing output for the query-invariant checker such that it shows the SQL that is run to verify that a found query-invariant discrepency is valid. Changes to testing logic only. (check-in: 8f45ad27 user: drh tags: trunk)
10:21
Do not use the one-pass optimization on an UPDATE if there is a subquery in the WHERE clause, since if the subquery is hidden behind a short-circuit operator, the subquery might not be evaluated until after one or more rows have been updated. (check-in: b5d8a9a6 user: drh tags: branch-3.41)
10:17
Do not use the one-pass optimization on an UPDATE if there is a subquery in the WHERE clause, since if the subquery is hidden behind a short-circuit operator, the subquery might not be evaluated until after one or more rows have been updated. Fix for the problem reported by forum post 0007d1fdb1. This is the same problem that was fixed by [73f0036f045bf371] only for UPDATE instead of DELETE. (check-in: 2c56b984 user: drh tags: trunk)
09:16
Remove a NEVER() from btreeNext(). (check-in: 40623f5a user: drh tags: branch-3.41)
09:12
Fix a broken assert() in the recovery extension. (check-in: 048711e4 user: drh tags: branch-3.41)
09:07
Remove a NEVER() from btreeNext() that dbsqlfuzz 460aa158f9a2c41145831cc924296cde1f312b3f found could sometimes be reached. I will find a way to test that branch later. (check-in: 1dffeffe user: drh tags: trunk)
02:30
Another approach at attempting to contain the damage caused by corruption that leaves MemPage.isInit clear. Works better than the previous but is still not perfect. (Closed-Leaf check-in: ba964eb0 user: drh tags: corruption-in-btree-init)
01:20
When the btreeInitPage() routine detects database corruption, it should continue to the end and set MemPage.isInit before it returns SQLITE_CORRUPT, because if it leaves MemPage.isInit unset, then can cause difficulty later. dbsqlfuzz 460aa158f9a2c41145831cc924296cde1f312b3f (check-in: 44e83f8b user: drh tags: corruption-in-btree-init)
2023-03-15
18:05
Disallow the one-pass optimization for DELETE if the WHERE clause contains a subquery. (check-in: 25e18318 user: drh tags: branch-3.41)
17:58
Disallow the one-pass optimization for DELETE if the WHERE clause contains a subquery. Fix for the problem reported by forum post e61252062c9d286d. This fix is more restrictive than necessary. It could be relaxed if the subquery does not involve the table that is the subject of the DELETE. (check-in: 73f0036f user: drh tags: trunk)
13:53
Fix a broken assert() in the recovery extension. (check-in: 4c4e66f2 user: dan tags: trunk)
2023-03-14
20:16
Fix Bloom filters on an expression index. (check-in: 11e0256b user: drh tags: branch-3.41)
20:08
Fix Bloom filters on an expression index. forum post 2e427099d5 and forum post d47a0e8e3a. This problem goes back to the original introduction of Bloom filters (check-in [633bfeeea2bccdd4]) for SQLite version 3.38.0. (check-in: c028fb66 user: drh tags: trunk)
2023-03-13
16:08
Include CLI’s tip for – in all builds. Better show optionality of its non-option arguments. (check-in: 9e2c771d user: larrybr tags: trunk)
2023-03-11
23:29
The cherry-pick merge at [371838562a675c1b] caused a performance regression for some queries, which is here fixed. (check-in: 6d6d95fc user: drh tags: branch-3.41)
23:21
The check-in at [198b3e33dcfd74c7] caused a performance regression for some queries, which is here fixed. Problem reported by forum post b405033490fa56d9. (check-in: dc9f025d user: drh tags: trunk)
12:27
Allow functions named using keywords "CROSS", "FULL", "INNER", "LEFT", "NATURAL", "OUTER", and "RIGHT". (check-in: eeac3d5e user: drh tags: functions-named-left)
00:15
CLI help to reflect no-more-options option (check-in: 30d95a12 user: larrybr tags: trunk)
2023-03-10
21:27
Fix a typo in a comment. No code changes. (check-in: 76acc075 user: drh tags: trunk)
20:54
Give CLI a no-more-options option. (–) (check-in: 08227887 user: larrybr tags: trunk)
13:36
Fix a problem with the fts5 snippet() function that shows up when snippets just 1 token in length are requested. (check-in: 96d5116d user: dan tags: trunk)
12:47
Merge the 3.41.1 patches into the bedrock branch. (check-in: 2780cc9f user: drh tags: bedrock-3.41)
12:13
Version 3.41.1 (check-in: 20399f3e user: drh tags: release, branch-3.41, version-3.41.1)
11:57
Export SQLITE_FCNTL_RESET_CACHE to JS. (check-in: 6195cfc8 user: stephan tags: trunk)
00:59
Merge the branch-3.41 patches into the reuse-schema branch. (check-in: af08bd3e user: drh tags: reuse-schema-3.41)
00:21
Merge the latest 3.41 patches into a new branch called wal2-3.41. (check-in: e67bfc76 user: drh tags: wal2-3.41)
2023-03-09
22:09
Replace a lingering use of ‘self’ with ‘globalThis’ in JS code, for node compatibility. (check-in: 7e3782b5 user: stephan tags: trunk)
16:11
Reinstate some test cases accidentally removed by [cb023fe28560ce0f]. (check-in: 870de61f user: dan tags: trunk)
16:04
In the Bloom filter optimization, hash all strings and blobs into the same value, because we do not know if two different strings might compare equal even if they have different byte sequences, due to collating functions. Formerly, the hash of a string or blob was just its length. This could all be improved. (check-in: cc8a0ee4 user: drh tags: branch-3.41)
15:08
Fix countofview.test so that it works with SQLITE_OMIT_PROGRESS_CALLBACK builds. (check-in: d55a7742 user: dan tags: branch-3.41)
15:08
Fix countofview.test so that it works with SQLITE_OMIT_PROGRESS_CALLBACK builds. (check-in: 2fc7c3fc user: dan tags: trunk)
14:14
Update the version number to 3.41.1 (check-in: e4e2e647 user: drh tags: branch-3.41)
13:58
Merge count-of-view optimization fixes from trunk. But count-of-view is still off by default for this branch. (check-in: cbbe8986 user: drh tags: branch-3.41)
08:51
Experimental addition of sqlite3-node.mjs, for node.js, based on feedback from forum post ac7a94d4f77db235 and related off-list discussions. Build changes only - no code changes. (check-in: a5db97fa user: stephan tags: trunk)
01:35
Fix a possible NULL pointer dereference due to the sqlite3_interrupt() enhancement in the 3.41.0 release. (check-in: 66d24a22 user: drh tags: branch-3.41)
2023-03-08
23:05
Fix a possible NULL pointer dereference due to the sqlite3_interrupt() enhancement at [bd8fa10e59f58886]. Reported by forum post f5a2b1db87. (check-in: 84417bbd user: drh tags: trunk)
22:48
Backout the OP_MakeRecord optimization as it does not work. (check-in: 25017312 user: drh tags: trunk)
18:05
Export the new SQLITE_CHANGESETAPPLY_IGNORENOOP flag to JS. (check-in: ac7359b2 user: stephan tags: trunk)
18:03
Add the SQLITE_CHANGESETAPPLY_IGNORENOOP flag, which may be passed to sqlite3changeset_apply_v2() to have it ignore changes that would be no-ops if applied to the database (e.g. deleting a row that has already been deleted), instead of considering them conflicts. (check-in: cb023fe2 user: dan tags: trunk)
17:09
Small performance improvement in the OP_MakeRecord opcode. (check-in: ca89daef user: drh tags: trunk)
14:37
Keep the historical datatype ("INT", not “NUM”) for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". The use of FLEXNUM only occurs on compound queries. (check-in: dc1033af user: drh tags: branch-3.41)
14:28
Change to [44135d6ea84f7ba6] that retains the historical datatype ("INT", not “NUM”) for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". The use of FLEXNUM only occurs on compound queries. (check-in: 6d5b5896 user: drh tags: trunk)
10:05
Extend wasm build to support a custom sqlite3.c to support building against sqlite3-see.c. The JS code now binds the SEE-specific functions if it detects an SEE build. (check-in: dd8612c8 user: stephan tags: trunk)
00:47
Fix a problem in the count-of-view optimization that can lead to incorrect bytecode. dbsqlfuzz 23d782160b71c3f8f535ccb2da313dfc8eb8c631. (check-in: f4500953 user: drh tags: trunk)
00:04
Fix an assertion fault added by [65ffee234787213c]. (check-in: d00e68ba user: drh tags: branch-3.41)
2023-03-07
23:47
Fix a bug introduced 4 days ago by [e95439119ac200cb]: do not set the Expr.affExpr field of a generated column expression if the expression is a RAISE() function, as affExpr has a different meaning for RAISE. Forum post b312e075b5. (check-in: 1096b5a7 user: drh tags: trunk)
19:39
A proposed change to [44135d6ea84f7ba6] that retains the historical datatype ("INT", not “NUM”) for a table created as follows: "CREATE TABLE t1 AS SELECT CAST(123 AS INT) AS value;". (Closed-Leaf check-in: a0e54fe2 user: drh tags: flexnum-proposed-fix)
19:23
Improve how sqlite3.initWorker1API() determines whether it’s running in a Worker thread. Based on feedback in forum post ac7a94d4f77db235. (check-in: 2f712b83 user: stephan tags: trunk)
19:12
Replace use of ‘self’ in JS code with 'globalThis’, as that works in browsers and node environments. Avoid using globalThis.location if it’s not set (e.g. in node). Based on feedback in forum post ac7a94d4f77db235. Minor JS build tweaks. (check-in: dbbe8f25 user: stephan tags: trunk)
12:59
In the JS sqlite3.vfs/vtab utility APIs, use a local reference to StructBinder instead of sqlite3.StructBinder, as that object is removed from the sqlite3 namespace during the final steps of API initialization. Based on feedback from forum post d19d96183badca70. (check-in: 0d89885d user: stephan tags: trunk)
02:24
Fix a couple minor spacing issues in the MSVC makefile. (check-in: 46b3ac6d user: mistachkin tags: trunk)
2023-03-06
23:39
Repair an unintential fork. (check-in: 8b524c84 user: drh tags: trunk)
23:38
Improvements to query invariant testing such that it uses the new SQLITE_DBCONFIG_REVERSE_SCANORDER opcode to sqlite3_db_config() to make more accurate judgements about when a query is ambiguous, and hence when query invariant testing is approprate. (check-in: be9ab292 user: drh tags: trunk)
More ↓
Related news
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.