CVE-2020-13434

Published: 24 May 2020

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
sqlite3
Launchpad, Ubuntu, Debian
Upstream
Released (3.32.1-1)
Ubuntu 20.10 (Groovy Gorilla)
Released (3.32.2-2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (3.31.1-4ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.22.0-1ubuntu0.4)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.11.0-1ubuntu1.5)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://www.sqlite.org/src/info/d08d3405878d394e
Upstream: https://github.com/sqlite/sqlite/commit/dd6c33d372f3b83f4fe57904c2bd5ebba5c38018

Notes

AuthorNote
leosilva
printf function support was added in 3.8.3 by commit
https://github.com/sqlite/sqlite/commit/a5c1416d64b4b857721f085258b6ef1dcaeb6f5b

References

Bugs