Does the newly disclosed Magellan vulnerability affect SqlCipher versions? https://www.zdnet.com/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/
1 Like
Interesting. Reading the Magellan release info page, there’s not a lot of info in it:
https://blade.tencent.com/magellan/index_en.html
It does mention SQLite 3.26.0 as being safe. Sounds like there will need to be an update of SQLCipher’s base to either include the appropriate patch, or just update it to 3.26.0 itself.
1 Like
Seems to be more useful info here:
- https://news.ycombinator.com/item?id=18686305
- https://news.ycombinator.com/item?id=18686462 (response to the above, by the main SQLite author)
Proof of concept exploit showing the crash:
- https://worthdoingbadly.com/sqlitebug/
- https://github.com/zhuowei/worthdoingbadly.com/blob/8708d93eaa0891f167812cea9235306a24820bd1/_posts/2018-12-14-sqlitebug.html#L59-L136
It mentions the SQLite source code patch which fixes the vulnerability:
To me, it looks like the bug is in the FTS3 module. So if your SQLCipher is compiled without FTS3, it’s probably “safe” as is.
The patch itself looks fairly simple. It may be easy to update SQLCipher to include just that.
No idea personally, as security related stuff can sometimes take a fair while to re-validate even after a “minor” change. 
1 Like
That’s great information - and makes me feel a bit better. Since we control all of the SQL that gets executed, that definitely makes things a bit better.
But yes - we anxiously await a new version of SqlCipher.
1 Like
FYI it should be possible for any developer to update SQLCipher to SQLite 3.26.0 as described in https://discuss.zetetic.net/t/sqlcipher-sqlite-update/2470.
I hope to see this update on SQLCipher ASAP. While a patch on FTS3 should be good enough I would really favor a clean SQLite 3.26.0 update.
Someone also raised a GitHub issue in https://github.com/sqlcipher/sqlcipher/issues/297. I think this is the right place to discuss the wanted update but am not 100% sure.
1 Like
The latest SQLCipher 4.0.0 release is based on 3.25.2, so it is affected. However an update, SQLCipher 4.0.1 based on 3.26.0, should be available next week to resolve this. We’ve already updated the baseline, so we are just finishing up builds and testing. Keep an eye out for the release notification here.
1 Like
Thanks @sjlombardo for the quick response!
We’ve just released SQLCipher 4.0.1. The new version of SQLCipher is based on SQLite 3.26.0 so it addresses the Magellan vulnerability. In also includes new PRAGMAs to simplify backwards compatibility settings for applications (PRAGMA cipher_compatibility/cipher_default_compatibility), plus some other improvements and fixes.
1 Like