Candidate: CVE-2021-3119
PublicDate: 2021-03-25 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3119
 https://github.com/sqlcipher/sqlcipher/commit/cb71f53e8cea4802509f182fa5bead0ac6ab0e7f#diff-9305215a9a0ea69300281fc4af90bc7f3437e34a0e1745d030213152993ddae4
 https://www.telekom.com/resource/blob/621186/3fb50ca7a4a97728be18717ed7b0062c/dl-210308-critical-dos-vulnerability-in-sqlcipher-sql-command-processing-data.pdf
Description:
 Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue
 related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c.
 This may allow an attacker to perform a remote denial of service attack.
 For example, an SQL injection can be used to execute the crafted SQL
 command sequence, which causes a segmentation fault.
Ubuntu-Description:
Notes:
 sbeattie> introduced in 4.1.0 it seems
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_sqlcipher:
 upstream: https://github.com/sqlcipher/sqlcipher/commit/cb71f53e8cea4802509f182fa5bead0ac6ab0e7f#diff-9305215a9a0ea69300281fc4af90bc7f3437e34a0e1745d030213152993ddae4
upstream_sqlcipher: released (4.4.3)
precise/esm_sqlcipher: DNE
trusty_sqlcipher: ignored (out of standard support)
trusty/esm_sqlcipher: DNE
xenial_sqlcipher: not-affected (introduced in 4.1.0)
bionic_sqlcipher: not-affected (introduced in 4.1.0)
focal_sqlcipher: not-affected (introduced in 4.1.0)
groovy_sqlcipher: not-affected (introduced in 4.1.0)
devel_sqlcipher: not-affected (introduced in 4.1.0)