CVE-2015-3415

Published: 24 April 2015

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

Priority

Status

Package	Release	Status
sqlite Launchpad, Ubuntu, Debian	artful	Ignored (reached end-of-life)
	bionic	Not vulnerable (code not present)
	cosmic	Not vulnerable (code not present)
	lucid	Ignored (reached end-of-life)
	precise	Does not exist (precise was needs-triage)
	trusty	Not vulnerable (code not present)
	upstream	Not vulnerable (code not present)
	utopic	Ignored (reached end-of-life)
	vivid	Ignored (reached end-of-life)
	wily	Ignored (reached end-of-life)
	xenial	Not vulnerable (code not present)
	yakkety	Ignored (reached end-of-life)
	zesty	Ignored (reached end-of-life)
sqlite3 Launchpad, Ubuntu, Debian	artful	Not vulnerable (3.8.10.2-1)
	bionic	Not vulnerable (3.8.10.2-1)
	cosmic	Not vulnerable (3.8.10.2-1)
	lucid	Ignored (reached end-of-life)
	precise	Not vulnerable (code not present)
	trusty	Not vulnerable (code not present)
	upstream	Released (3.8.9)
	utopic	Not vulnerable (code not present)
	vivid	Released (3.8.7.4-1ubuntu0.1)
	wily	Not vulnerable (3.8.10.2-1)
	xenial	Not vulnerable (3.8.10.2-1)
	yakkety	Not vulnerable (3.8.10.2-1)
	zesty	Not vulnerable (3.8.10.2-1)
	Patches: upstream: https://www.sqlite.org/src/info/02e3c88fbf6abdcf

References

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783968

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›