SQLCipher 4.0.1 Release

2018-12-18 07:00:00 -0500

SQLCipher 4.0.1 is now available. This update to SQLCipher 4 includes several very important changes:

  • Based on upstream SQLite 3.26.0, which addresses the SQLite “Magellan” vulnerability
  • Adds PRAGMA cipher_compatibility and PRAGMA cipher_default_compatibility which simplify configuration of appropriate compatibility settings for different major SQLCipher versions
  • Filters out ATTACH statements which contain KEY parameters from readline history when using the command line shell
  • Fixes a crash in the command line shell when it is provided empty input (e.g. ^D)
  • Fixes various compiler warnings related to strict-prototypes

The Magellan Vulnerability

The SQLite Magellan issue is a remote code execution vulnerability. Discovered by Tencent Blade Team, this problem can potentially affect applications that use SQLite versions prior to 3.26.0. By extension, because SQLCipher is based on SQLite, this issue can also affect applications that use SQLCipher versions prior to this release of 4.0.1.

The scope of the vulnerability is such that it could be used to exploit applications that:

  1. Allow a potential attacker to execute arbitrary SQL; or
  2. Open untrusted databases (i.e. that could be specifically corrupted by an attacker)

Due to the potential severity of this issue, we strongly recommend that all applications upgrade to SQLCipher 4.0.1, especially if they meet the aforementioned criteria.

Compatibility

As with the recent SQLCipher 4.0.0 release, 4.0.1 contains changes that are not directly compatible with SQLCipher 3.x (or lower). These provide a much higher level of security than previous versions of SQLCipher, however, SQLCipher 4.x will not open older databases by default (i.e. those created by SQLCipher 3.x or lower). To enable backwards-compatibility, applications can easily adjust settings at runtime or migrate older databases:

  • To migrate and upgrade an existing database in place (preserving data and schema) to use the new default settings, use PRAGMA cipher_migrate.
  • To open an older database use the compatibility PRAGMAs to adjust settings back to their previous values. For example, to open a SQLCipher 3 database using SQLCipher 4, use the following statement after opening and keying the database: PRAGMA cipher_compatibility = 3;.
  • To attach and export data to a new database with fine-grained control, use the sqlcipher_export() convenience function.

Please review this additional guidance for detailed upgrade and migration scenarios. We have also published a migration guide for Commercial and Enterprise customers upgrading to SQLCipher 4.x using the SQLite-net API.

Availability

Commercial Edition - On-demand access to new releases of SQLCipher Commercial Edition are available to licensees with an active CipherCare subscriber subscription, along with private, prioritized support directly from Zetetic. CipherCare subscribers will receive a separate email notification regarding the update and can contact us to request the latest SQLCipher distribution and applicable software license codes.

SQLCipher Enterprise Program - Enterprise Program Subscription customers will receive a separate email notification about the release, and the latest SQLCipher packages and license codes will be provided directly via your organization’s private online software delivery share.

Community Edition - SQLCipher 4.0.1 in source format is directly available on GitHub. The Community Edition of SQLCipher for Android is available via AAR packaging. The Community Edition of SQLCipher for iOS can be compiled from source or using CocoaPods.

About Zetetic

Zetetic LLC is a small company specializing in applied data security. As the developers behind the SQLCipher encrypted database library and Codebook Password Manager, hundreds of organizations and millions of users trust Zetetic’s software and frameworks.

Recent Posts

Search Other Posts