Rapid7 Vulnerability & Exploit Database

RHSA-2015:1635: sqlite security update

Back to Search

RHSA-2015:1635: sqlite security update



SQLite is a C library that implements an SQL database engine. A largesubset of SQL92 is supported. A complete database is stored in a singledisk file. The API is designed for convenience and ease of use.Applications that link against SQLite can enjoy the power and flexibilityof an SQL database without the administrative hassles of supporting aseparate database server.A flaw was found in the way SQLite handled dequoting of collation-sequencenames. A local attacker could submit a specially crafted COLLATE statementthat would crash the SQLite process, or have other unspecified impacts.(CVE-2015-3414)It was found that SQLite's sqlite3VdbeExec() function did not properlyimplement comparison operators. A local attacker could submit a speciallycrafted CHECK statement that would crash the SQLite process, or have otherunspecified impacts. (CVE-2015-3415)It was found that SQLite's sqlite3VXPrintf() function did not properlyhandle precision and width values during floating-point conversions.A local attacker could submit a specially crafted SELECT statement thatwould crash the SQLite process, or have other unspecified impacts.(CVE-2015-3416)All sqlite users are advised to upgrade to this updated package, whichcontains backported patches to correct these issues.


  • redhat-upgrade-lemon
  • redhat-upgrade-sqlite
  • redhat-upgrade-sqlite-debuginfo
  • redhat-upgrade-sqlite-devel
  • redhat-upgrade-sqlite-doc
  • redhat-upgrade-sqlite-tcl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center