I understand that the current version of SQLCipher uses SQLite 3.4.1. Our scanning tools report certain vulnerabilities in this embedded library and recommends to upgrade to SQLite 3.21.0. Is there any plan when SQLCipher will support this version of SQLite?
Thank you for your interest in SQLCipher. The current release of SQLCipher is 3.4.1 which is based on SQLite 3.15.2. We are currently updating SQLCipher for all of our supported platforms which will include an update to the SQLite upstream based on 3.20.1. SQLite 3.21.0 was just released a few weeks ago. Historically we allow for a stabilization period before integrating a new upstream SQLite release. Please let us know if you have any further questions. Thanks!
We have also problem with the SQLite vulnerabilities, which probably blocks our product delivery.
Is there any chance that this SQLite update will be ready by January? Do you have a target date?
We anticipate a new release of SQLCipher will be available soon. Unfortunately, I can not comment on a specific date however we are nearing completion of our release cycle.
Thanks for the quick response @developernotes.
Good to see SQLite 3.20.1 is already merged, bad news for us that this version brings a new vulnerability:
Looking forward to the next version!
Hello @strehli Thanks for keeping an eye out and following up. The next release of SQLCipher will likely occur in the new year, and will probably be based on 3.21.0 or 3.22.0 (depending on timing). Upstream fixes in SQLite would be merged in then. A few other comments with regard to the CVE in question: it specifically deals with the SQLite shell, which is not used by applications linking SQLCipher (though the underlying problem may still pertain), it’s not clear whether that issue has been fixed upstream at this point, and finally, SQLCipher likely reduces the risk / impact, at least for the class of applications that is not dealing with untrusted plaintext databases from third parties (given that a specifically corrupted database and processing logic is required).
Same here. Looking forward to a new release.
@developernotes Can you provide some information on how to perform an upgrade.
What steps do I need to follow to perform my own upgrade to SQLite 3.21.0 ?
Hello @GJRTimmer - Unfortunately we don’t support ad hoc migrations to different versions of SQLite like that. Each release is integrated and tested specifically to avoid differences between SQLCipher and SQLite upstream, and to minimize the risk of breaking changes to SQLCipher. The next release will likely be based on 3.23.0 once that is available and has stabilized.
I’ve already obtained the fossil repository of SQLite, and the github repo of SQLCipher. I ust would like to learn how to integrate a new SQLite version within SQLCipher and get a succesful build.
I also understand that you are not looking towards people submitting a PR on Github with a new SQLite upgrade, because that would defeat the purpose of testing as you explained earlier.
I just would like to know for my own projects how to integrate SQLite3 into SQLCipher.
Hope you guys can put me in the right direction.
Hello @GJRTimmer - In that case, one option would be to take a diff between the current upstream SQLite 3.20.1 source tree and the new SQLite 3.21.0 source tree. Then take the results of that diff and apply it to the SQLCipher 3.4.2 sources, resolve any merge failures, etc. You could then build and run the crypto.test locally to perform some basic validation and do your own testing as needed. For clarity, this is not the approach we use internally, but would probably yield similar results. Again, I’d just caution that there are some risks involved here, so use caution / discretion as appropriate.
@GJRTimmer no problem at all, I hope it works well for you. One other clarification with regard to crypto.test - that would involve
make testfixture and
./testfixture test/crypto.test in order to perform a basic validation of sqlcipher functionality.
any news about the new release?
Hi @strehli - thanks for following up. We are closing in on the release for the next version of SQLCipher, which will be based on 3.25.2.
Any status update here (or rough ballpark ETA)?
We’re considering doing applying an update to SQLcipher’s SQLite code manually, but if the new release is right around the corner, this would be unnecessary.
Hello @thomcc - we ran into a couple of delays, but release is going to be right around the corner, very likely late November.
I, too, am awaiting the next release with bated breath, given that when wrapping SQLCipher for Android for use in Flutter I ran into many missing methods in 3.5.9 compared to the
android.database.sql API docs
Whoo hoo!!! Thank you.