Hi,

The following vulnerability was published for sqlite3.

CVE-2021-45346[0]:
| A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and
| 3.37.0 via maliciously crafted SQL Queries (made via editing the
| Database File), it is possible to query a record, and leak subsequent
| bytes of memory that extend beyond the record, which could let a
| malicous user obtain sensitive information..


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-45346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45346

Please adjust the affected versions in the BTS as needed.

It is not clear if this has actually been reported upstream.

Control: tags -1 +moreinfo
 Please explain how this is a security issue? To exploit this you need
read _and_ write access to the database file, then knowledge of its
binary format for changing it to your needs. Last but not least, you
need to fool an application to execute your arbitrary SQL statements
to leak information.
If you have shell access to the database, you already can issue any
'SELECT' and get all its information. For this, read access to the
database file is enough, _no need_ for write access and altering its
binary format. Furthermore if you can read the database file, you can
copy that as well to wherever you want to. Why would you waste time
and effort to alter the database file and may cause database
corruption?
I just don't get the point of this CVE.

Regards,
Laszlo/GCS