Magellan Vulnerbility


#1

Does the newly disclosed Magellan vulnerability affect SqlCipher versions? https://www.zdnet.com/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/


#2

Interesting. Reading the Magellan release info page, there’s not a lot of info in it:

https://blade.tencent.com/magellan/index_en.html

It does mention SQLite 3.26.0 as being safe. Sounds like there will need to be an update of SQLCipher’s base to either include the appropriate patch, or just update it to 3.26.0 itself.


#3

Seems to be more useful info here:

Proof of concept exploit showing the crash:

It mentions the SQLite source code patch which fixes the vulnerability:

To me, it looks like the bug is in the FTS3 module. So if your SQLCipher is compiled without FTS3, it’s probably “safe” as is.

The patch itself looks fairly simple. It may be easy to update SQLCipher to include just that.

No idea personally, as security related stuff can sometimes take a fair while to re-validate even after a “minor” change. :slight_smile:


#4

That’s great information - and makes me feel a bit better. Since we control all of the SQL that gets executed, that definitely makes things a bit better.

But yes - we anxiously await a new version of SqlCipher.


#5

FYI it should be possible for any developer to update SQLCipher to SQLite 3.26.0 as described in https://discuss.zetetic.net/t/sqlcipher-sqlite-update/2470.

I hope to see this update on SQLCipher ASAP. While a patch on FTS3 should be good enough I would really favor a clean SQLite 3.26.0 update.

Someone also raised a GitHub issue in https://github.com/sqlcipher/sqlcipher/issues/297. I think this is the right place to discuss the wanted update but am not 100% sure.


#6

The latest SQLCipher 4.0.0 release is based on 3.25.2, so it is affected. However an update, SQLCipher 4.0.1 based on 3.26.0, should be available next week to resolve this. We’ve already updated the baseline, so we are just finishing up builds and testing. Keep an eye out for the release notification here.


#7

Thanks @sjlombardo for the quick response!


#8

We’ve just released SQLCipher 4.0.1. The new version of SQLCipher is based on SQLite 3.26.0 so it addresses the Magellan vulnerability. In also includes new PRAGMAs to simplify backwards compatibility settings for applications (PRAGMA cipher_compatibility/cipher_default_compatibility), plus some other improvements and fixes.