Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects.

However, the chances that fresh insight on a long known issue will spur any immediate changes to the software landscape remain bleak, given just how enormous, costly, and complex the task is of rewriting codebases entirely in memory-safe code.

Memory-unsafe programming languages such as C and C++ allow programmers to have more direct control over memory-related functions in code, which can often lead to very common application security issues like buffer overflows and use-after-free errors. Such flaws represent a large proportion of all vulnerabilities in modern application software. In contrast, memory-safe languages — the most common examples of which include Rust, Python, Java, and Go —offer guardrails such as built-in runtime and compile time checks to mitigate against common memory related errors.

**Most OSS Projects Contain Memory-Unsafe Code**

The US Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and counterparts at the Australian Cyber Security Centre and the Canadian Centre for Cyber Security this week released a report summarizing the results of their investigation into the use of memory-unsafe code in OSS.

The findings, while troubling, are not entirely unexpected given past data on the extensive use of memory-unsafe languages in almost all modern codebases. Fifty-two percent of the 172 major open source projects that the research authors looked at contained code written in a memory-unsafe language. More than half (55%) of the total lines of code in all the projects combined were written in a memory-unsafe language, with the larger projects being the worst culprits.

Some 95% of the total lines of code in Linux for instance are memory-unsafe. For MySQL Server, that number was 84%; for TensorFlow it was 64%; for Zephyr 84%; and for Chromium 51%. On average, 26% of the total lines of code in the 10 largest open source projects consisted of memory-unsafe code. Even projects written in memory-safe languages were at risk from dependencies on unsafe components.

"Most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities," the report noted. "This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages."

In addition, the tendency — and often the need — to disable memory-safety features to accommodate functional requirements in applications can often neutralize the benefits of using otherwise memory-safe languages.  

"These limitations highlight the need for continued diligent use of memory safe programming languages, secure coding practices, and security testing," the report authors noted.

**CISA Consistent With Previous OSS Data**

The findings are consistent with numerous previous studies that have examined the extensive problems tied to the use of memory-unsafe languages.  

And indeed, concerns over the ubiquity of the problem have prompted calls for change over the years. The most recent is a February 2024 technical report from the White House that urged industry stakeholders to go back to the building blocks and start over with using memory safe code in all software. In 2022, the US National Security Agency (NSA) urged software makers and all organizations developing software to consider adopting memory-safe languages to reduce risk from memory management related software issues in modern code bases. The continued pounding away at the topic over the years has spurred some change, but most expect it will take years — if not even decades — for a whole scale shift to memory-safe languages to happen.

"Adopting memory-safe code is challenging, primarily because changing a programming language often requires a complete rewrite of existing code," says Neatsun Ziv, CEO and Co-Founder of OX Security. The cost and effort required to undertake such a massive overhaul without significant economic incentives will likely make any change, a slow process.

**Making the World Memory-Safe: A Huge & Complex Challenge**

Omkhar Arasaratnam, general manager at OpenSSF says memory safety issues aren't specifically a problem for either open or closed-source software. It's a problem in general for all modern software.

"There are many memory-safe languages available today like JavaScript, Python, and Java, but software engineers often use memory-unsafe older languages like C/C++ for performance or low-level hardware access," he says.

Also, while Rust has emerged as a viable alternative to C/C++ for low level systems programming in recent years, there are many embedded systems and safety-critical applications for which Rust is not appropriate, he adds.

"While it is certainly possible to write memory-safe code in a memory-unsafe language, 25 years of CVEs tells us it is highly unlikely," Arasaratnam says. "It is not that people are bad programmers, but defensively writing code that is memory-safe in a memory-unsafe language is very difficult," he notes. As newer projects adopt memory-safe languages, expect the use of memory-unsafe languages to decrease over time, in all but niche applications.

Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, says the new report does a good job showing how some major open source software projects such as Kubernetes and WordPress are authored in a memory-safe language. However, there are other issues that remain unexplored, he says. For example, it would be interesting to know if memory-safe languages are being used in new projects on GitHub, and whether memory-safe libraries are being used as dependencies in larger projects.

"We can safely say that awareness of memory safe languages is growing, but is it growing at a rate that would displace older languages? For example, are the creators of new embedded software solutions using C++ or Rust, and to what degree?"

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Flags Memory-Unsafe Code in Major Open Source Projects

Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

Red Hat Security Advisory 2024-4166-03 - An update for python3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4166.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3 security updateAdvisory ID:        RHSA-2024:4166-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4166Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518

Red Hat Security Advisory 2024-4166-03

Red Hat Security Advisory 2024-4165-03 - An update for pki-core is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4165.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4165-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4165Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218https://issues.redhat.com/browse/RHEL-23077

Red Hat Security Advisory 2024-4165-03

Red Hat Security Advisory 2024-4164-03 - An update for pki-core is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4164.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4164-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4164Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218

Red Hat Security Advisory 2024-4164-03

Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0045.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.0 security update  
Advisory ID:        RHSA-2024:0045-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0045  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.16.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.16.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2024:0041

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and  
cookies on HTTP redirect (CVE-2023-45289)  
* golang: net/http: memory exhaustion in Request.ParseMultipartForm  
(CVE-2023-45290)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* golang: crypto/x509: Verify panics on certificates with an unknown public  
key algorithm (CVE-2024-24783)  
* golang: net/mail: comments in display names are incorrectly handled  
(CVE-2024-24784)  
* golang: html/template: errors returned from MarshalJSON methods may break  
template escaping (CVE-2024-24785)  
* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* jose: resource exhaustion (CVE-2024-28176)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at   
https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2262921  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268018  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767

Red Hat Security Advisory 2024-0045-03

Red Hat Security Advisory 2024-0043-03 - Red Hat build of MicroShift release 4.16.0 is now available with updates to packages and images that include a security update. Issues addressed include a bypass vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0043.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of MicroShift 4.16.0 security update  
Advisory ID:        RHSA-2024:0043-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0043  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2024-3177  
====================================================================

Summary: 

Red Hat build of MicroShift release 4.16.0 is now available with updates to packages and images that include a security update.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift Container Platform. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift 4.16.0. Read the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0041

All Red Hat build of MicroShift 4.16 users are advised to use these updated packages and images when they are available in the RPM repository.

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by  
the ServiceAccount admission plugin (CVE-2024-3177)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.16/html/release_notes/index

CVEs:

CVE-2024-3177

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2274118  
https://issues.redhat.com/browse/OCPBUGS-21901  
https://issues.redhat.com/browse/OCPBUGS-23336  
https://issues.redhat.com/browse/OCPBUGS-24444  
https://issues.redhat.com/browse/OCPBUGS-24689  
https://issues.redhat.com/browse/OCPBUGS-25030  
https://issues.redhat.com/browse/OCPBUGS-25784  
https://issues.redhat.com/browse/OCPBUGS-27849  
https://issues.redhat.com/browse/OCPBUGS-29037  
https://issues.redhat.com/browse/OCPBUGS-29847  
https://issues.redhat.com/browse/OCPBUGS-30039  
https://issues.redhat.com/browse/OCPBUGS-30807  
https://issues.redhat.com/browse/OCPBUGS-30833  
https://issues.redhat.com/browse/OCPBUGS-31739  
https://issues.redhat.com/browse/OCPBUGS-32946  
https://issues.redhat.com/browse/OCPBUGS-33588

Red Hat Security Advisory 2024-0043-03

Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-0041-03

Debian Linux Security Advisory 5723-1 - Fabian Vogt discovered that the KDE session management server insufficiently restricted ICE connections from localhost, which could allow a local attacker to execute arbitrary code as another user on next boot.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5723-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 27, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : plasma-workspace  
CVE ID         : CVE-2024-36041

Fabian Vogt discovered that the KDE session management server  
insufficiently restricted ICE connections from localhost, which could  
allow a local attacker to execute arbitrary code as another user on  
next boot.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 4:5.20.5-6+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 4:5.27.5-2+deb12u2.

We recommend that you upgrade your plasma-workspace packages.

For the detailed security status of plasma-workspace please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/plasma-workspace

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ9r5gACgkQEMKTtsN8  
TjZUrRAAped6yEardsWDFEJgGZPtJzGItPSo1cS4u5J+DxNSOs5F0YWYpfgYk9Vq  
Ud92pF/ORYH4IVVUjKKDye6hVPufY1mu0Bibgl5OyZxgkrXLnnTRg69PAwqT1IZi  
3L4ge8g+6zG3Y4j+e4kVOcgStvLnKXz8URQVCYvQB+VJWWfIJXl0YDJnHlX7hYhn  
Th2X1aUIryZs0reokkrofRIkcuPWZqth1Dgy1xmGBC2voCfrJ5g3Qu05nVFvnBFe  
QMV737XZxShKMbiV7oE7BXAZ3DuYU4OOXm14SvqTTwdNe/7zhhyz4GCmlIJHQu1u  
rTMPVODckBBAhc3dBjEPpAV5LJpEmoIoINsfp/ulArZkXifTl7sIBLcgodNsTPrE  
W6q5MU7u51XUDd4yYaa2PVT2U3xpPHaj4C5opbp7EwvoCN0Gj6m7BRhSWKl74joO  
QkWjRBxHcmv0zJPH0ttekpyjcwxPmGSSshVEbPYeG6Sw0Zwn9r6fT5749DP+iESf  
7gDJhIxyxVG9o/p5sJOuGo9G43reGleQMigWwhfVt74Ing05o4sSIcqJkkmPNoIT  
MhkKHXRmKtDQOMsT74T/NX7zUGGZBpsmtZZq4Ze0zEvnVfMnxJc+n0WXIRLW+gid  
YFFHRXUY4T1vkcJKSLZpI3Kdp5xzMRPAVAn1sGrmnqkwZfcrWiA=  
=hKop  
-----END PGP SIGNATURE-----

Debian Security Advisory 5723-1

Ubuntu Security Notice 5616-3 - USN-5615-1 fixed several vulnerabilities in SQLite. This update provides the corresponding fix for CVE-2020-35525 for Ubuntu 14.04 LTS. It was discovered that SQLite incorrectly handled INTERSEC query processing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5615-3  
June 27, 2024

sqlite3 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

SQLite could be made to crash or execute arbitrary code.

Software Description:  
- sqlite3: C library that implements an SQL database engine

Details:

USN-5615-1 fixed several vulnerabilities in SQLite. This update provides  
the corresponding fix for CVE-2020-35525 for Ubuntu 14.04 LTS.

Original advisory details:

  It was discovered that SQLite incorrectly handled INTERSEC query  
  processing. An attacker could use this issue to cause SQLite to crash,  
  resulting in a denial of service, or possibly execute arbitrary code.  
  (CVE-2020-35525)

  It was discovered that SQLite incorrectly handled ALTER TABLE for views  
  that have a nested FROM clause.  An attacker could use this issue to cause  
  SQLite to crash, resulting in a denial of service, or possibly execute  
  arbitrary code. This issue was only addressed in Ubuntu 20.04 LTS.  
  (CVE-2020-35527)

  It was discovered that SQLite incorrectly handled embedded null characters  
  when tokenizing certain unicode strings. This issue could result in  
  incorrect results. This issue only affected Ubuntu 20.04 LTS.  
  (CVE-2021-20223)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 14.04 LTS  
   libsqlite3-0                    3.8.2-1ubuntu2.2+esm4  
                                   Available with Ubuntu Pro  
   sqlite3                         3.8.2-1ubuntu2.2+esm4  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5615-3  
   https://ubuntu.com/security/notices/USN-5615-1  
   CVE-2020-35525

Latest News