CVE-2018-8740

Published: 17 March 2018

In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
sqlite3 Launchpad, Ubuntu, Debian	Upstream	Released (3.22.0-2)


	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (3.22.0-1)
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (3.22.0-1ubuntu0.4)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (3.11.0-1ubuntu1.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (3.8.2-1ubuntu2.2)
	Patches: Upstream: https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b Upstream: https://github.com/sqlite/sqlite/commit/1e9c47be1e81e94a67f788c98fd70e8bf70e3746

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8740
https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema
https://ubuntu.com/security/notices/USN-4205-1
https://ubuntu.com/security/notices/USN-4394-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893195
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6964

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›