Important Advisory: Magellan and SQLCipher


#1

Magellan is a SQLite remote code execution vulnerability. Discovered by Tencent Blade Team, this problem can potentially affect applications that use SQLite versions prior to 3.26.0. By extension, because SQLCipher is based on SQLite, this issue can also affect applications that use SQLCipher versions prior to version 4.0.1.

The scope of the vulnerability is such that it could be used to exploit applications that:

  1. Allow a potential attacker to execute arbitrary SQL; or
  2. Open untrusted databases (i.e. that could be specifically corrupted by an attacker)

Due to the potential severity of this issue, we strongly recommend that all applications upgrade to SQLCipher 4.0.1 (or higher) immediately, especially if they meet the aforementioned criteria.

Please review the SQLCipher 4.0.1 announcement for important details about updates and library compatibility.


#2