In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade sqlite3 to version 2.9.5 or higher.
Affected versions of this package are vulnerable to Use After Free via the aggregate function callbacks in Database#create_aggregate, #create_aggregate_handler, and Database#define_aggregator. An attacker can trigger an invalid memory read and segmentation fault by keeping a prepared statement that calls an aggregate function alive after the database has been explicitly closed or discarded, then stepping that statement. The vulnerable code clears the database’s -aggregators reference on close and discard, leaving aggregate callback objects eligible for garbage collection while an open statement still references them. This breaks applications that close a database while outstanding statements remain and can crash the process when the statement later executes.
Notes
Workarounds
close or discard; this prevents the invalid memory read and segmentation fault triggered when the statement is stepped later.