CVE-2021-20227

[GreatAnn0827]

Expected Behavior

Actual Behavior

Steps to Reproduce

SQLCipher version (can be identified by executing PRAGMA cipher_version;):4.4.1

SQLCipher for Android version:

Sorry to borther again, there was a new vulnerability found in sqlcipher 4.4.1,What is the impact on the SQLCipher 4.4.1?
Note: If you are not posting a specific issue for the SQLCipher library, please consider posting your question to the SQLCipher discuss site. Thanks!

[developernotes]

Hello @GreatAnn0827

The issue identified in CVE-2021-20227 was addressed in SQLite 3.34.1 here, which was included in SQLCipher 4.4.3. It is a use after free bug related to subqueries containing both a WHERE clause and a HAVING statement. We would recommend updating to SQLCipher 4.4.3, especially if your application(s) include the above style queries.

We reserve GitHub Issues for reporting defects in the software library. For questions relating to SQLCipher, including CVE's we ask that you direct your questions to the SQLCipher community discuss site.

[GreatAnn0827]

thank you so much,Is there a patch strategy for version 4.4.1？

[developernotes]

Hi @GreatAnn0827

You can directly upgrade from SQLCipher 4.4.1 to 4.4.3.