In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade sqlite3 to version 2.9.5 or higher.
Affected versions of this package are vulnerable to Use After Free in Database#define_function and Database#create_function through the custom function registry in lib/sqlite3/database.rb. An attacker can trigger a segmentation fault by redefining the same SQLite function name with a different arity or text encoding, then invoking the earlier definition after garbage collection. This leaves Ruby block references for the original function freed while SQLite still holds a callable function entry, causing invalid memory reads when the function is executed.
Notes
create_function and define_function feed the same lifetime-managed function storage.Workarounds
Database#create_function or Database#define_function; this prevents the use-after-free and segmentation fault triggered when the earlier definition is later invoked after garbage collection.