A remote code execution vulnerability has been discovered in SQLite, dubbed Magellan 2.0 by the research team that discovered it.

Tencent’s Blade security research team has published some details of a remote code execution vulnerability that affects all version of SQLite prior to the latest patch issued on 13 December 2019.   SQLite is a widely used embedded SQL engine in products as varied as web browsers (such as Google Chrome) through to line of business applications and IoT devices.  SQLite is the most widely used database engine in the world, with an estimated trillion databases in active use. According to the researchers, any unpatched SQLite application that accepts external queries could be vulnerable.

The advisory from Tencent states:

If you are using a software that is using SQLite as component (without the latest patch, which is 13 Dec 2019), and it supports external SQL queries. Or, you are using Chrome that is prior to 79.0.3945.79 with WebSQL enabled, you may be affected. Other devices such as PC/Mobile devices/IoT devices may also be affected, depends on if there’s a proper attack surface.

The researchers raised several CVE against the Google Chrome browser to record their findings as they demonstrated remote code execution after an out of bounds write caused by a specially crafted HTML page.  (CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753).  The issues are resolved in Chrome version 79.0.3945.79 or later.

Since SQLite is a C library that is compiled into many applications, it can not be updated in isolation, rather new versions of every application that make use of it will need to be obtained from each vendor.   To be exploited either a specially crafted HTML file needs to be accessed or an external SQL query needs to be executed.